Download FAQ

Why does my browser show a security warning?

CommandLane is new software and hasn't built up download reputation with Google Safe Browsing yet. This is normal for new applications and doesn't mean the software is unsafe.

Our Security Measures:

✅ Digitally signed with Microsoft Azure Code Signing
✅ Clean scan on VirusTotal (0/70+ detections)
✅ SHA256 checksum provided for verification
✅ Open source - all code is auditable on GitHub

How to Download Safely

Chrome

Click the download link on the Releases page
Chrome will show "This file is not commonly downloaded" warning
Click the three-dot menu (⋮) next to the blocked download
Select "Keep dangerous file"
The download will complete

Edge

Click the download link on the Releases page
Edge will show a similar warning about uncommon downloads
Click the three-dot menu (⋮) next to the download
Select "Keep"
Confirm by clicking "Keep anyway" if prompted

Firefox

Firefox typically doesn't show warnings for signed executables, but if you encounter one:

Click the download link
If warned, click "Allow" or the download arrow
Right-click the download → "Continue with download"

Verify Download Integrity

After downloading, verify the file hasn't been tampered with by checking the SHA256 checksum:

certutil -hashfile CommandLane_0.2.0_x64-setup.exe SHA256

Compare the output with the SHA256 checksum published in the release notes. They should match exactly.

Example:

Release notes SHA256: abc123def456...
Your download SHA256: abc123def456...  ✅ Match - safe to install

Alternative Installation Methods (No Warnings)

Winget (Windows Package Manager)

The fastest way to install CommandLane without browser warnings:

winget install CommandLane

info

Winget submission is coming soon. This option will be available in a future update.

Microsoft Store

CommandLane will be available on the Microsoft Store in a future update, providing:

✅ No security warnings
✅ Automatic updates
✅ Instant trust from Windows

Why Do These Warnings Exist?

Reputation-Based Filtering

Google Safe Browsing and Microsoft SmartScreen use reputation-based filtering to protect users:

New software without download history = flagged as "uncommon"
Downloads over time build reputation
User trust signals (clicking "Keep anyway") help build reputation
No abuse reports + time = automatic whitelist

CommandLane is currently in the early adoption phase. As more users download and install, the warnings will naturally decrease.

Code Signing Isn't Instant Trust

Even properly code-signed executables (like CommandLane) show warnings if they lack reputation:

Extended Validation (EV) certificates no longer provide instant SmartScreen reputation
Standard and EV certificates are treated equally
Reputation must be built over time through downloads

What We're Doing About It

Immediate Actions (Completed)

✅ Reported to Google Safe Browsing as false positive
✅ Reported to Microsoft SmartScreen for validation
✅ Uploaded to VirusTotal (clean scan: 0/70+ detections)
✅ Published SHA256 checksums with every release
✅ Created this FAQ to help users understand the warnings

Near-Term

🔄 Submitting to Winget for trusted installation
🔄 Monitoring reputation build through download metrics
🔄 Re-reporting if warnings persist after initial review

Long-Term

📅 Microsoft Store submission for maximum trust
📅 Organic reputation building (downloads + user trust signals)
📅 Reduced warning frequency as reputation grows

Is My Download Safe?

Yes, if you:

✅ Downloaded from official GitHub Releases
✅ Verified SHA256 checksum matches release notes
✅ See "CommandLane" as the publisher when running installer
✅ Windows shows certificate details: "Microsoft Azure Code Signing"

Red flags (contact support if you see these):

❌ Downloaded from third-party website
❌ SHA256 mismatch
❌ No digital signature or wrong publisher name
❌ VirusTotal scan shows detections (should be 0/70+)

VirusTotal Scan Results

Every release is scanned on VirusTotal with 70+ antivirus engines:

📊 Current Scan Status: View latest scan

Detections: 0/70+ (clean)
Signed: Yes (Microsoft Azure Code Signing)
Timestamp: Sectigo (trusted timestamping authority)

You can upload the installer yourself to verify: https://www.virustotal.com

Still Have Concerns?

Option 1: Wait for Reputation

If you're uncomfortable clicking through warnings, wait 2-4 weeks for:

Download count to increase
Google/Microsoft to process our false positive reports
Warnings to naturally decrease

Option 2: Verify Everything

Power users can verify the download is safe:

Check SHA256 checksum (see above)
Verify digital signature:
```
Get-AuthenticodeSignature CommandLane_0.2.0_x64-setup.exe | Format-List
```
Should show: "Status: Valid", "SignerCertificate: Microsoft Azure Code Signing"
Upload to VirusTotal and check for detections
Review source code on GitHub (open source)

Option 3: Contact Us

If you have security concerns or questions:

📧 Email: security@commandlane.ai
💬 GitHub Issues: Report a concern
📖 Security Policy: See SECURITY.md

Technical Details

Code Signing Details

CommandLane uses enterprise-grade code signing:

Signing Method: Azure Code Signing (Microsoft's cloud-based solution)
Certificate Authority: Microsoft-trusted CA
Digest Algorithm: SHA256
Timestamp Server: Sectigo (http://timestamp.sectigo.com)
Signed Components:
- ✅ Python sidecar executable (pkb-sidecar.exe)
- ✅ NSIS installer (CommandLane_X.Y.Z_x64-setup.exe)

What Gets Checked

When you download CommandLane:

Chrome/Edge sends metadata to Google Safe Browsing:
- File name and type
- Download URL and hosting domain
- File size and hash
- (Not the actual file contents)
Safe Browsing checks:
- Publisher reputation (new publisher = flagged)
- Download frequency (low count = flagged)
- Abuse reports (zero for us = good)
- Known malware signatures (clean = good)
Result: "Not commonly downloaded" warning (expected for new software)

Timeline to Clear

Based on industry data for similar applications:

Early weeks: False positive reports processed, some improvement
First month: Download count builds, warnings decrease
Months 2-3: Established reputation, minimal warnings
Months 3-6: Normal distribution experience

Your download helps build reputation - each "Keep anyway" click signals trust to Google/Microsoft.

Why does my browser show a security warning?​

How to Download Safely​

Chrome​

Edge​

Firefox​

Verify Download Integrity​

Alternative Installation Methods (No Warnings)​

Winget (Windows Package Manager)​

Microsoft Store​

Why Do These Warnings Exist?​

Reputation-Based Filtering​

Code Signing Isn't Instant Trust​

What We're Doing About It​

Immediate Actions (Completed)​

Near-Term​

Long-Term​

Is My Download Safe?​

VirusTotal Scan Results​

Still Have Concerns?​

Option 1: Wait for Reputation​

Option 2: Verify Everything​

Option 3: Contact Us​

Technical Details​

Code Signing Details​

What Gets Checked​

Timeline to Clear​