bastianeicher
commented
2 years ago Hi @BrechtMo,
older versions of the DeepL app used a tool called Squirrel for automatic updates. With this, each version of DeepL was placed in a directory name %localappdata%\DeepL\VERSIONNUMBER. The executables inside these directories are signed by the company DeepL.
For newer versions using 0install for automatic updates this doesn't really change much in principle. Each version is placed in a directory named %localappdata%\0install.net\implementations\HASH. The executables inside these directories are still signed by the company DeepL. The only real difference is that there are additional files in the directory %appdata%\Programs\Zero Install.
So white-listing the DeepL app based on the same signature previously used should continue to work. You'll just need to additionally white-list 0install's signature provided by the SignPath Foundation. This will allow 0install itself to run, but AppLocker shouldn't apply this transitively to any apps launched by 0install.
In addition to this 0install also generates so called "stub executables" in %appdata%\0install.net\desktop-integration\stubs for things like auto-start entries. Since these executables are generated on-demand, they do not have digital signatures. However, their hash values do not change over time (even when an app is updates) so you can white-list them by hash.
Hope this helps. Please let me know if you have any further questions.
BrechtMo
I am system administrator for a University.
Our Applocker software security system is flagging a 0install.exe executable on a couple of computers lately. It is blocked as it is running in a non-trusted location (appdata / local). This seems to be linked to Deepl using 0Install since the last update.
Applocker can whitelist applications based on digital signature.
However, it seems like the 0Install.exe executable is signed with a certificate provided by 0Install (signpath foundation).
If I'm understanding this right, this means that every application packaged with 0install is signed with the Signpath Foundation certificate which means that also malware creators can easily create an executable that looks trusted.
Would anyone have a suggestion on how I can whitelist a certain trusted 0install package (and its future updates) without having to make new file hash whitelist rules for every new executable after an update?