Beware of fake Paint.NET releases – or, there is no 4.0 yet!

I just received an e-mail from BetaNews this morning,

Rick,

Someone just submitted an 4.0 Alpha of Paint.NET. Do you want us to post this release? We would of course not post it over top of v3.36, but we would post it as a seperate release.

Let me know.

Thank you

Well, that was strange — I haven’t publicly released anything! I have some people on the forum doing some private testing on the install/update changes, but nothing too exciting. So I wondered if one of them leaked it (they didn’t), and inquired further.

As it turns out, there’s another download site that’s hosting a file called "Paint.NET.4.00.Alpha.rar," no doubt based on a trusted user submission. This was then simply forwarded to BetaNews.

So I downloaded the file and pawed around, although I did not run the EXE inside of the RAR. Here’s what I found:

  1. The file size was wrong. Like I said in my previous post, the installer is currently 3.7mb. I really doubt that RAR can compress a heavily LZMA-compressed archive down by another 25%. (Or vice versa)
  2. The file name was wrong. "Paint.NET.4.00.Alpha.exe" is a good guess, but you can see even from the screenshot in my previous post that the file name I’m using is actually "Paint.NET.4.0.Install.exe" (I would put an Alpha in there for an Alpha release though, of course).
  3. The file version of the EXE was wrong. The real one would say 4.0.0.0 for the EXE-inside-the-ZIP. This one was 0.0.0.0.
  4. And here’s the kicker, the file wasn’t digitally signed by me. In fact, it wasn’t signed at all!

The first 3 can be faked easily enough, and I’m not worried about divulging that information. The last one cannot be faked*.

My conclusion was that it’s probably a virus, and so I told BetaNews not to publish the file. If it was a leak, that would be annoying but at least it would be reasonably "safe" (plus it would expire soon anyway, limiting the "damage").

So, how do you verify that you have a "genuine" Paint.NET installer? It all comes down to the 4th one: the digital signature. I sign every release of Paint.NET with a certificate that has the dotPDN LLC name on it. It will show up all throughout the process of downloading and installing it, because Windows and Internet Explorer like to remind you about it about 5 times.

Although, as a digression, the best way to make sure you have a "genuine" Paint.NET installer is to simply go to http://www.getpaint.net/ and go from there.

Anyway, when you run the installer EXE in Windows XP, you will get a dialog like this: (assuming you downloaded the ZIP from the website and ran the EXE from there — using something like WinRAR / WinZIP might not result in this)

Note how it highlights the Publisher name, which is dotPDN LLC. If you click on the name, you’ll get a dialog titled "Digital Signature Details". It should say, near the top, "This digital signature is OK." This is the same dialog you’ll see a little later in this post.

In Windows Vista, UAC will help you out here. You’ll get a dialog like this when you try to run the installer:

The dialog states "dotPDN LLC" again, and has the neutral colors as opposed to the big yellow warning version of the UAC dialog.

You can also verify the signature before you launch the program, which is of course a good thing. You want to get the installer EXE unpacked somewhere, then right click and go to Properties:

Next, go to the tab named "Digital Signatures." If there is no such tab, then the file is not signed and you’re done — the file is not from me, or is corrupted/incomplete somehow. You sould see an entry for dotPDN LLC:

Go ahead and click the "Details" button for the final step of verification:

The key here is "This digital signature is OK." At that point you know the file is "genuine", and neither corrupt nor incomplete.

And hey, if someone says, "Hey I found an alpha of Paint.NET version 4.0!" the first thing you should do is go to the Paint.NET website. If it’s not there, then it’s not real!

And yes, I’ve informed the other download site that the "Paint.NET 4.00 Alpha" is probably a virus and that they should remove it.

* Well, I shouldn’t say it can’t be faked. No doubt someone will hack around and prove me wrong eventually. For now though, it’s a fairly safe statement to make.

Advertisements

12 thoughts on “Beware of fake Paint.NET releases – or, there is no 4.0 yet!

  1. Nidonocu says:

    Hey Rick, I’m wondering if you can recommend any particular site for small ISV’s to get fairly cheap but valid signatures from for their software? Every place I search for seems to charge an arm and a leg and when you’re running on donations or less, its a bit hard to afford that sort of cost.

  2. Rick Brewster says:

    Nidonocu — I”ve been using Comodo. When I first purchased it was $99/year, but now it’s $179/year. Verisign is $400 or $500/year.

    For client software it doesn’t really matter who you get your cert from as long as their main cert is descended from one of the trusted root certificates built-in to Windows.

  3. Trixie says:

    Are you sure it’s a virus? I don’t know much about programming and stuff like that.
    And also, On my version 3.36 it has NO digital signatures! But it’s a perfectly fine version of Paint.NET! It might be a different fake. I downloaded it about 20 minutes ago, and yes, it was one of the windows that pop up when I open Paint.NET asking me to download it.

  4. Rick Brewster says:

    Trixie – I never said it was a virus. I said it was *probably* a virus. I neither scanned it nor ran it.

    The exe/dll files in the install directory are mostly unsigned, for certain performance reasons. The digital signature is on the *installer* EXE.

    In fact, the built-in updater for Paint.NET will not install an update that fails a signature check (or that isn’t signed).

  5. User @ Sweden says:

    Please do not make it bloated the new version 4.0. I like the present one as it is.. More features and more advanced would make it harder to use/learn. At present I am always installing this to friends/family and tell them how to donate.. (All instead of Adobes costy bloatware 🙂

  6. Onxe says:

    I love to have the new features also this is a great program easy to use. I mod for Oblivion game and yeah the .dds has come in handy very much the ability to see those texture files but I am hoping for a new feature the will make it able to make alpha maps for the .dds texture files, do this and wow save me 1000 dollars buying the photoshop. Pretty please, love the modders and save us dollars 🙂

  7. Daniel says:

    Nidonocu – I’ve bought a code signing certificate from K-Software for $99/year. They are a reseller for Comodo, and the certificates are fully valid and remove the uac unsigned warning. As far as I can see, the price is the only difference from buying it directly from Comodo.

    (No, I’m not associated with K-Software ;-))

  8. DarkHate says:

    Onxe, check out the PDN forums. There’s a few plug-ins that allow for alpha masking, etc. The one I got worked perfectly.

  9. sue says:

    My properties didn’t have the digital signature tab, I have vista, so I decided to remove it and just reinstall it new, but when I went to uninstall there next to the name Pain.NET v3.36 its says dotPDN LLC. so that means its a good copy, yes?

Comments are closed.