Any chance of getting a signed installer?

[Jim McKeeth 62]

I noticed the installer for GExperts isn't signed, which produces the Windows Defender SmartScreen warning on installation

 

 

It is easy enough to bypass the SmartScreen, but the digital signature provides useful security to know the installation is valid and not tampered with. Example of digital signature on RAD Studio installer

 

 

After SolarWinds and then the recent XZ Backdoor, it is becoming very important for developers to secure their supply chain. There are even laws coming down in the US and EU about this.

 

@Ian Barker has a blog post with more details...

 

Thanks!

 

[dummzeuch 1431]

I'm not going to buy a certificate just so I can sign my open source programs.

 

But if anybody else wants to create a signed installer, go ahead. GExperts is open source after all. Just make sure you comply with the license.

[Jim McKeeth 62]

Understandable. I didn't realize they jacked up the prices and complexity of certificates. And thanks for all you do in maintaining GExperts!

Edited May 22 by Jim McKeeth

[Anders Melander 1677]

4 hours ago, Jim McKeeth said:

After SolarWinds and then the recent XZ Backdoor, it is becoming very important for developers to secure their supply chain. There are even laws coming down in the US and EU about this.

FUD much?

[Jim McKeeth 62]

Hardly FUD. You really should do some research before responding. When I was at DEFCON last year there were speakers from the EFF talking about the EU laws, and I have friends who work in cybersecurity here in the states. Hardening the software development supply chain is a really big deal.

 

Update: Sorry for my snippy response. Security is in fact a really big issue. Please do read up more on it before you dismiss the concept completely. 

Edited May 23 by Jim McKeeth

[baka0815 12]

Well regarding social engineering attacks like in the case of the XZ backdoor, a signed executable would hardly deliver additional protection.

 

@dummzeuchwouldn't it be possible to get a certificate from let's encrypt (https://letsencrypt.org/de/)? Otherwise a self-created certificate should be enough. One would only need to install this into the machines certificate store to the list of trusted certs.

[Patrick PREMARTIN 56]

20 minutes ago, baka0815 said:

Well regarding social engineering attacks like in the case of the XZ backdoor, a signed executable would hardly deliver additional protection.

 

@dummzeuchwouldn't it be possible to get a certificate from let's encrypt (https://letsencrypt.org/de/)? Otherwise a self-created certificate should be enough. One would only need to install this into the machines certificate store to the list of trusted certs.

Let's Encrypt deliver only website certificates, they are not compatible with code signing on Windows.

[Patrick PREMARTIN 56]

9 hours ago, dummzeuch said:

I'm not going to buy a certificate just so I can sign my open source programs.

Certum has lower prices for open source projects, but it's a "by project" CSC : https://shop.certum.eu/code-signing.html

(having sponsors could help in any case)

 

For current Delphi 11 and 12 releases I can sign them for you if you want.

[dummzeuch 1431]

22 minutes ago, Patrick PREMARTIN said:

For current Delphi 11 and 12 releases I can sign them for you if you want.

Thanks for your kind offer.

But how would that work in practice?

The point of signing is trust, so if you sign the installer you are taking over the responsibility for this installer. If "anything bad" happens due to running this installer, you will be blamed for it because you signed it.

 

Therefore you'd have to read the GExperts source code and also the installer script to make sure they don't contain anything malicious, and in addition you would have to keep track of any changes made to them. - Alternatively you would have to trust me and all past (many) and current (very few) contributors to GExperts. - Then you'd have to build the DLL and the installers - simple: Get the source code and run two batch files - and sign it.

[Patrick PREMARTIN 56]

Globally yes, I have to trust you... and Windows have to trust me. 😉

 

For current exe's we can assume that they have been downloaded and installed enough for me to sign them with my eyes closed and return the signed exe for troubleshooting and to avoid smartscreen, for the future it would be better if this was done at source.

[dummzeuch 1431]

The current installer for Delphi 11 and 12 contains an ancient DLL which is full of bugs (mostly in highDPI environments), so I don't think it should be re-released just as a signed executable.

I'll think about it.

[Jim McKeeth 62]

11 hours ago, Patrick PREMARTIN said:

For current Delphi 11 and 12 releases I can sign them for you if you want

That is fabulous of your Patrick. I don't currently have a certificate but was looking into getting a new one.

 

[Tommi Prami 123]

Don't know what is the current situation, and it most likely varies greatly by certificate vendor and so on.

But...

CoWorker wanted to sign free apps, and it was huge mess. What I can remember he could not get the certificate, because he is individual and not the company, and would have needed lawyer and so forth to validate to certificate vendor that he is who he says he is. Or something like that. 

And this clearly is large problem, IMHO, Open Source or free apps people or teams are releasing for free and not for business, should have reasonable priced certificate, with reasonable byreogracy. Most likely ones that can solve this might not be here reading this. But this seems like solvable problem. 

But is anyone have some ideas how to get certificate for OpenSource/free project, at reasonable price (all of our mileage might vary) and so on, leave comments.

 

-Tee-

 

[Patrick PREMARTIN 56]

There are 2 CSC levels, the first one is allowed for people, the second only for companies.

[baka0815 12]

Well, we need to trust the exe (and @dummzeuch) as it is currently and that doesn't change in the future. So @dummzeuchcould just create a new self-signed certificate and use that to sign the executable.

Sure, Windows will complain at first, because the certificate is not trusted, but adding that certificate to the local store shouldn't be a problem and from that point onward it would work.

 

 

[Kas Ob. 101]

I just don't get it !??

 

WHY ?

 

The source is there, and i only can imagine the amount of the hours and work went into it to make it compliable as simple as few clicks, it is not like you need the compiled version for Microsoft Office PowerPoint.

Just download the god damn repository (the source) and build it.

For the binary from GetIt (not sure if it is there) then it is Embarcadero responsibility to build it and sign it, aka making it trustable.

And that it is.

 

Having the source and build it will make it better by ensuring bugs and mistakes are fixed in time and a call to every user to engage in the project. 

[dummzeuch 1431]

1 hour ago, baka0815 said:

Well, we need to trust the exe (and @dummzeuch) as it is currently and that doesn't change in the future. So @dummzeuchcould just create a new self-signed certificate and use that to sign the executable.

Sure, Windows will complain at first, because the certificate is not trusted, but adding that certificate to the local store shouldn't be a problem and from that point onward it would work.

How do I create a self signed certificate for signing executables? I am only aware of that option for TLS certificates (for secure internet connections).

[dummzeuch 1431]

6 minutes ago, Kas Ob. said:

For the binary from GetIt (not sure if it is there)

No, it's not there. And I don't plan to put it into Getit.

[Kas Ob. 101]

@Patrick PREMARTIN , that is very kind and nice, my certificate will expire in a month and would offer to sign useful and needed binaries but not for open source that easily can be build by the same IDE will use it, still it is disturbing to see Embarcadero as chain supplier supply signed code not built by them, again this might be useful for hard to build binaries or closed source projects.

 

1 hour ago, baka0815 said:

Well, we need to trust the exe (and @dummzeuch) as it is currently and that doesn't change in the future. So @dummzeuchcould just create a new self-signed certificate and use that to sign the executable.

Sure, Windows will complain at first, because the certificate is not trusted, but adding that certificate to the local store shouldn't be a problem and from that point onward it would work.

First half is somehow fine, the second is NOOOOOOOOOOOOO
Don't ever add certificates to your OS trusted store at a whim or for one single binary.

 

The most lethal attacks is the ones that violate trust chain, see, any application you are running on your PC with elevated privileges might/can add trusted certificate, silently, a lethal stage for next part of the attack form different binary that you might download and click, and this time nothing will detect it or stop it.
 

As for Embarcadero then the proposed of self signed or lets say self issued certificate might work, but it should not be in the OS store, it should be in the IDE and only the IDE -well in this case GetIt- will validate that certificate and execute the binary after confirming it is from Embarcadero, that works, it must parse the certificate and run it on its own, then either by notify you it is OK to pass SmartScreen or use a DLL version of the installer and execute it with its privileges, so no OS complains.

 

@dummzeuch Thank you, and no one should ask you to be responsible for securing an an open source project, or waste time and money on that.

[Kas Ob. 101]

6 minutes ago, dummzeuch said:

How do I create a self signed certificate for signing executables? I am only aware of that option for TLS certificates (for secure internet connections).

Well, creating self signed certificate for code signing is easy as the certificates for key exchange certificates (aka SSL/TLS), it is in the Extended Key Usage defined by OID

 

against

 

BUT , both above are end certificates and not self signed, and code signing by self signed is no-no for any AV or for SmartScreen for many reason

1) the best practice is to have SelfSigned which will be called root that allow to issued and sign CA or end certificate, am talking out of debugging for developers, out of debugging certificates should never be a self signed.

2) Such self signed and any signed certificate signed (issued) by it (CA and end) must have a way to be revoked, this will bring whole different beast to the table, the certificate must have OCSP and/or CRL server that answer for the validity for this certificates, such server must also time stamp with signature its response, CRL and OCSP are fields in certificate with according OID and specific format, CRL response should be signed by the selfsigned while OCSP is really complex response.

 

Sorry for the extended details, but i think it might be useful for some.

[Sherlock 639]

59 minutes ago, dummzeuch said:

How do I create a self signed certificate for signing executables? I am only aware of that option for TLS certificates (for secure internet connections).

I actually did that a couple of months ago, but lost my little "how to". So here is the basic steps taken from this link https://sid-500.com/2017/10/26/how-to-digitally-sign-powershell-scripts/ and an SO answer:

1. Generate the key:

New-SelfSignedCertificate -DnsName email@yourdomain.com -Type CodeSigning -CertStoreLocation cert:\CurrentUser\My

2. Export the certificate without the private key:

Export-Certificate -Cert (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0] -FilePath code_signing.crt

The [0] will make this work for cases when you have more than one certificate... Obviously make the index match the certificate you want to use... or use a way to filtrate (by thumprint or issuer).

3. Import it as Trusted Publisher

Import-Certificate -FilePath .\code_signing.crt -Cert Cert:\CurrentUser\TrustedPublisher

4. Import it as a Root certificate authority.

Import-Certificate -FilePath .\code_signing.crt -Cert Cert:\CurrentUser\Root

5. Sign the script (assuming here it's named script.ps1, fix the path accordingly).

Set-AuthenticodeSignature .\script.ps1 -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)

And that should do it for your machine. Obviously the last steps need to be done on every client that is supposed to recognize this certificate.

[Patrick PREMARTIN 56]

Just a reminder about self-signed certificates: they're no more valid than no certificate for Windows, and that's normal.

 

Nothing prevents someone from creating one with the same name as the original certificate and spreading malware in the software.

 

The advantage of expensive certificates is that there is a check on the identity of the signatory or his company. This is the only reason to use certificates: to validate the issuer and ensure that the file has not been modified since it was signed.

 

Self-signature can only be used within a company, with a key distributed to company devices for internal software. For external software, it's of no use at all.

To create a personal certificate, all you have to do is go to the environment options in the Windows deployment level, and the IDE will suggest either using an existing certificate, or creating your own.

[PeterPanettone 156]

On 5/23/2024 at 7:45 AM, baka0815 said:

let's encrypt (https://letsencrypt.org/de/)

Isn't that certificate only for websites? He needs a certificate for signing executables.

Edited May 25 by PeterPanettone