Question: how to handle installers without direct links?

[JudahGabriel]

As I'm playing with this tool, I notice a great deal of Win32 apps have installers which are not available for direct link. This prevents them from being used with winget.

For example, IrfanView, a popular image viewer and editor. Its installer is listed on the 3rd party site fosshub.com. Here is the link: https://www.fosshub.com/IrfanView.html?dwl=iview454_x64_setup.exe

The URL is misleading, however: this isn't the actual installer link, it's a page (with ads) that programmatically triggers downloading the installer. This way, there is no direct link to the installer, and thus, fosshub gets ad views to subsidize their bandwidth.

Looking at Irfanview's download page, all the installers are on 3rd party sites, and all of them prevent hotlinking like this.

How can I submit a manifest when the installer doesn't have a direct URL? Obviously, I could host the installer myself, but my servers couldn't handle e.g. a million downloads. Will Microsoft fetch these installers and mirror them on its own CDN? IMO, this is the best option.

[JudahGabriel]

Follow up: I tried moving the installer to my own CDN and direct linking to that, but that doesn't work either. The PR fails saying it couldn't validate whether the installer contained malicious software. 🤷‍♀️🏳

The URL to the installer is on my CDN: https://winget.b-cdn.net/iview454_setup.exe

Exact error I'm getting:

The package manager bot determined there was an issue with one of the installers listed in the url field, and cannot continue. Please verify the installers are not malicious. If you feel this failure is in error, please file an issue.

I do feel it's in error.

[denelon]

This has been something we've been investigating. We do SmartScreen and a few other checks to reduce the likelihood of malicious software ending up in the repository.

[nathpete-msft]

@JudahGabriel in this specific case IrfanView does provide their own hosting, they just hide it under alternate downloads:
https://www.irfanview.info/files/iview454_x64.zip

I'd recommend taking a look at where manifests other package managers like Scoop are pulling from as a reference point. That's how I found that link for IrfanView:
https://github.com/lukesampson/scoop-extras/blob/master/bucket/irfanview.json

[chausner]

@JudahGabriel in this specific case IrfanView does provide their own hosting, they just hide it under alternate downloads:
https://www.irfanview.info/files/iview454_x64.zip

Even that link is not a direct download:

iwr https://www.irfanview.info/files/iview454_x64.zip

StatusCode        : 200
StatusDescription : OK
Content           : <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
                    <html><head><meta
                     content="text/html; charset=ISO-8859-1"
                     http-equiv="content-type"><title>download: files/iview454_x64.zip</title>…

They deliberately got rid of all direct links.
You only get the direct download when setting the referer appropriately:

iwr https://www.irfanview.info/files/iview454_x64.zip -Headers @{Referer="https://www.irfanview.info/files/iview454_x64.zip"}

[JaiganeshKumaran]

You can download the file and then check for the actual download link in your browser.

[lavinir]

You can download the file and then check for the actual download link in your browser.

Those are usually dynamically generated links that expire. I'm also looking for a good solution to this but have not found one outside of hosting it myself.

[JudahGabriel]

Yep, these are dynamic links that are generated with a special token. This isn't a URL that can be used in winget packages; the link won't work.

This is again why winget needs to have its own CDN mirror of installers.