Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signing on Windows: "Windows protected your PC" #95

Open
strogonoff opened this issue Jul 30, 2020 · 18 comments
Open

Signing on Windows: "Windows protected your PC" #95

strogonoff opened this issue Jul 30, 2020 · 18 comments
Labels
⚙️ ops Operations, CI etc.

Comments

@strogonoff
Copy link
Contributor

407153F1-06B2-4B48-920A-81894F677B77

@strogonoff strogonoff added the ⚙️ ops Operations, CI etc. label Jul 30, 2020
@strogonoff strogonoff pinned this issue Jul 30, 2020
@ronaldtse
Copy link
Member

No idea why this happens...? Will need to investigate.

@strogonoff
Copy link
Contributor Author

strogonoff commented Jul 31, 2020 via email

@strogonoff
Copy link
Contributor Author

strogonoff commented Jul 31, 2020 via email

@ronaldtse
Copy link
Member

Yes we have Windows signing; previously the signing worked -- no warning was displayed on my Windows machine on launch of the application. The Windows code signing certificate is from DigiCert.

@strogonoff
Copy link
Contributor Author

strogonoff commented Aug 21, 2020

Yes we have Windows signing; previously the signing worked -- no warning was displayed on my Windows machine on launch of the application. The Windows code signing certificate is from DigiCert.

@ronaldtse it appears that this warning is displayed only when you open the app for the first time. (Presumably, for each new version too.) I still think it has something to do with signing

@strogonoff
Copy link
Contributor Author

It was confirmed with latest v1.6.17

@ronaldtse
Copy link
Member

We're apparently missing Windows signing in this repo.

@batyr-tar
Copy link

The issue is still present in the latest version Glossarist 1.6.38.

@ronaldtse
Copy link
Member

Windows signing in this repo is enabled, and you can see in the build logs. It seems to succeed.

https://github.com/glossarist/glossarist-desktop/runs/1135873363?check_suite_focus=true

2020-09-18T20:52:53.6120773Z   • install prebuilt binary  name=keytar version=6.0.1 platform=win32 arch=x64
2020-09-18T20:52:53.9214455Z   • packaging       platform=win32 arch=x64 electron=9.1.1 appOutDir=dist\win-unpacked
2020-09-18T20:52:54.4634430Z   • downloading     url=https://github.com/electron/electron/releases/download/v9.1.1/electron-v9.1.1-win32-x64.zip size=70 MB parts=4
2020-09-18T20:52:56.0734680Z   • downloaded      url=https://github.com/electron/electron/releases/download/v9.1.1/electron-v9.1.1-win32-x64.zip duration=2.111s
2020-09-18T20:53:04.3448090Z after build; disable sandbox
2020-09-18T20:53:04.8849840Z   • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z size=5.6 MB parts=1
2020-09-18T20:53:05.4275786Z   • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z duration=966ms
2020-09-18T20:53:06.5467495Z   • signing         file=dist\win-unpacked\Glossarist.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:53:10.2819633Z   • building        target=nsis file=dist\install-glossarist-desktop-1.6.40.exe archs=x64 oneClick=true perMachine=false
2020-09-18T20:53:10.2822033Z   • building        target=portable file=dist\glossarist-desktop-1.6.40-portable.exe archs=x64
2020-09-18T20:53:11.2075931Z   • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z size=1.3 MB parts=1
2020-09-18T20:53:11.2077815Z   • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z duration=747ms
2020-09-18T20:53:12.3343836Z   • signing         file=dist\win-unpacked\resources\elevate.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:51.8865021Z   • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z size=731 kB parts=1
2020-09-18T20:54:52.2273760Z   • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z duration=678ms
2020-09-18T20:54:53.6719133Z   • signing         file=dist\glossarist-desktop-1.6.40-portable.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:53.7076670Z   •   Signing NSIS uninstaller  file=dist\__uninstaller-nsis-glossarist.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:55.2206117Z   • publishing      publisher=Github (owner: glossarist, project: glossarist-desktop, version: 1.6.40)
2020-09-18T20:54:56.2066206Z   • uploading       file=glossarist-desktop-1.6.40-portable.exe provider=GitHub
2020-09-18T20:54:56.2292125Z   • signing         file=dist\install-glossarist-desktop-1.6.40.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:57.9975555Z   • building block map  blockMapFile=dist\install-glossarist-desktop-1.6.40.exe.blockmap
2020-09-18T20:54:58.8300126Z   • uploading       file=install-glossarist-desktop-1.6.40.exe.blockmap provider=GitHub
2020-09-18T20:54:58.8319026Z   • uploading       file=install-glossarist-desktop-1.6.40.exe provider=GitHub
2020-09-18T20:55:01.2373329Z Done in 128.72s.

Perhaps if someone can show the signature details using SignTool.exe?
https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature

@strogonoff
Copy link
Contributor Author

@batyr-tar will take a look at it

@strogonoff
Copy link
Contributor Author

So far I think these are two somewhat separate issues:

  • It is important that signing works (Batyr will clarify in a bit using signtool)
  • However, even if it does work, “Windows protected your PC” screen may still appear—from what I gather, Microsoft is using some sort of reputation system, and even despite proper trusted signature it will throw this screen for new software until it is considered “trusted”.

@strogonoff
Copy link
Contributor Author

Once proper signature is confirmed, I think we can consider this screen “unfixable” until Microsoft’s reputation black box starts favoring us.

@batyr-tar
Copy link

The certificate chain looks adequate, but for some reason is not trusted. I am not sure whether it is an issue with my Windows or SDK installation.
Digital Signatures tab in Properties shows no problems.
1
2

@strogonoff
Copy link
Contributor Author

Thanks @batyr-tar

@strogonoff
Copy link
Contributor Author

Same error on another Windows machine:

Verifying: C:\Users\froot\Downloads\install-glossarist-desktop-1.6.40.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha1): 2693FA123AE5A7925C043B11AB2C6F730EB8B1CC

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 07:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 19:00:00 2028
        SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

            Issued to: Ribose Inc.
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Fri Nov 18 19:00:00 2022
            SHA1 hash: 597A5F33C2C77E37D60D034E89A94AF8DA8BF4E7

The signature is timestamped: Sat Sep 19 03:54:56 2020
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 07:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 07:00:00 2021
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Tue Oct 22 07:00:00 2024
            SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D

SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

@ronaldtse
Copy link
Member

This may be related...

https://docs.microsoft.com/en-us/security/trusted-root/2020/july2020

This release will add the EV Code Signing OID to the following roots:
...
16. Digicert \ DigiCert Assured ID Root CA \ 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

Apparently it is supposed to be around? Woot?

@ronaldtse
Copy link
Member

Ah, someone else has run into this issue: storj-archived/storjshare-gui#36 (comment)

@strogonoff
Copy link
Contributor Author

strogonoff commented Sep 21, 2020 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
⚙️ ops Operations, CI etc.
Projects
None yet
Development

No branches or pull requests

3 participants