The change to show the banner came out of the blue. It is not because IK and myself are not getting on.
IK has a process for verifying extensions that requires IK to look at the code and then add a signature to the extension. This signature is verified when the extension is loaded. The purpose behind it is to allow IK to have some control over third party extensions which can access all of the data and might make mistakes when updating.
The process is quite cumbersome as it has to be repeated for every update which puts the workload onto IK whenever I fix a bug or add a feature.
I have submitted all of my extensions for verification and am waiting on IK to provide the signed versions. Personally I think they are making a rod for their own back by doing this.
I just don't understand WHY? When you load an unsigned extension you are warned that it has not been reviewed by MD and may be harmful. Your choice to install. Now to nag you every time you open MD seems pointless.
Sean, consider adding an alternate text/font/color in the extensions dropdown instead of a red banner. Show the unsigned extension(s) in italics there. Currently, the banner only shows one at a time. This would show them all.
I've written two little extensions that make my life easier. Very specific and no use to anyone else. I just don't need to be warned about my own code.
I hope this is taken constructively. No *rant* intended.
Until this issue is resolved, another user Kevin N has spotted a workaround to hide the warning message and its red background.
Under PREFERENCES – THEME – click CUSTOMIZE. Note the colour for Default Background. Scroll down the list to
Make a note of these two items, there position in the list, as the text will disappear when you change their colour. Click on these two in turn to change them to same colour as Default Background. Click OK, OK and close and re-open Moneydance.
Sean Reilly on 05 Jan, 2020 10:44 PM
Yes, I will be dialing back the warnings, especially in order to allow people to run their own extensions and scripts without that annoyance. I do take the security of people installing unverified extensions seriously, but self-written scripts and extensions shouldn't have a non-removable warning message.
Just read Sean’s post as I was about to paste my reply. But will post anyway as it may help until Sean releases a new build.
If you were to install an unsafe extension the only warning you get is on installation, telling you that it is unsigned. This in itself does not tell you if the extension is safe or not. The warning simply means that as a third-party extension it has not been reviewed and signed by Infinite Kind (Moneydance). You should only install third party extension from known developers that have a track record e.g. Mike Bray and hleofxquotes.
The red banner warning on the summary page only displays one unsigned extension, you could have installed hundreds, but only one is displayed. Again, the warning only tells you that the extension is unsigned not if it is really unsafe.
You could change the two colours for
to softer colours so the warning is not so dominant, but can still be read.
I'd also like to add that it is a bad idea to install unsigned extensions created by anyone except for yourself. An unsigned extension from Mike Bray or hleofxquotes could be swapped out for one from MrEvilOnlineBankingPasswordThief and you'd have no way of knowing it. Or even easier, some random person on the forums could send you a link to an extension saying that it is from one of those guys, but there's no way for anyone to know.
Installing unsigned extensions from other people into your financial software is a *really* bad idea.
My opinion on that hasn't changed and I don't foresee it ever changing. I do want to let people build and run their own extensions on their own data without needing my or TIK's approval and without excessive warnings though, so I'm working on finding that balance.
Sean and Derek,
All good points! As someone who has had a bank account hacked, I am very security conscious too. I applaud your efforts to prevent bad code from coming in from MrEvilOnlineBankingPasswordThief - I'm dangerous enough on my own!