RealyUniqueName
commented
5 years ago Open Neverbirth opened 5 years ago
RealyUniqueName
commented
5 years ago 
Neverbirth
commented
5 years ago Yeah, the reason for the need is different, but it's the same situation, feel free to close this as duplicate if you prefer, but would be great if the priority of this is increased.
Simn
commented
5 years ago This is a Haxe Foundation Partner request from Docler. We might not be able to do this for the next RC, but we definitely have to get it right for 4.0 final.
Neverbirth
commented
5 years ago I guess that for our case having a self-signed certificate would be good enough, but unlikely with #6867. and surely (as well as sadly) other enterprises also have this kind of requirement.
I did a bit of research yesterday night and found some cheap providers like Comodo, and maybe more interesting for Haxe this one that has special offer for open source projects. I ignore which certificate provider would be more desirable in the end.
The process of signing the binary is already explained on #6867 and seems to be simple.
If you need help paying for the certificate don't hesitate to contact me and I will gladly help with it.
For the binary metadata what I saw is that it is necessary to define a version-information resource, and then link when compiling the binary (no idea about OCaml, only checked C related resources, maybe OCaml provides some easy way of defining this data).
https://docs.microsoft.com/en-us/windows/desktop/menurc/versioninfo-resource
ncannasse
commented
5 years ago Thanks for the offer, Haxe Foundation can take care of buying the certificate. The actual problem is more about setup the CI so the certificate is available for automatic builds, and make sure all the scripts are correctly setup and run. We discussed that with @Simn at HaxeUP, we will most likely need some help from @andyli
On Wed, Jan 30, 2019 at 4:16 PM Neverbirth notifications@github.com wrote:
I guess that for our case having a self-signed certificate would be good enough, but unlikely with #6867 https://github.com/HaxeFoundation/haxe/issues/6867. and surely (as well as sadly) other enterprises also have this kind of requirement.
I did a bit of research yesterday night and found some cheap providers like Comodo https://www.comodo.com/, and maybe more interesting for Haxe this one that has special offer for open source projects https://www.certum.eu/en/cert_offer_en_open_source_cs/. I ignore which certificate provider would be more desirable in the end.
The process of signing the binary is already explained on #6867 https://github.com/HaxeFoundation/haxe/issues/6867 and seems to be simple.
If you need help paying the certificate don't hesitate to contact me and I will gladly help with it.
For the binary metadata what I saw is that it is necessary to define a version-information resource, and then link when compiling the binary (no idea about OCAML, only checked C related resources, maybe OCAML provides some easy way of defining this data).
https://docs.microsoft.com/en-us/windows/desktop/menurc/versioninfo-resource
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/HaxeFoundation/haxe/issues/7720#issuecomment-458981243, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-bwNU5-siCpF4zJYqdIGZqoGDqhuk_ks5vIbc0gaJpZM4aYaYJ .
back2dos
commented
5 years ago Bump ;)
ncannasse
commented
5 years ago @andyli can you look into this?
andyli
commented
5 years ago Maybe. I have zero idea of how this can be done though. It would be great if there is someone with the experience can point me to the right direction.
RMax2015
commented
5 years ago https://docs.microsoft.com/en-us/windows/desktop/menurc/versioninfo-resource
https://docs.microsoft.com/en-us/windows/desktop/appxpkg/how-to-sign-a-package-using-signtool It looks like you need to run the Sign Tool from Windows 8+
Hope this helps!
andyli
commented
5 years ago It happens to have a code signing related discussion on hacker news today:
Notepad++ drops code signing for its releases - https://news.ycombinator.com/item?id=19329330
Some quotes:
Windows signing is a ripoff, $500/year you're getting nothing. Your certificate is not trusted. You have to "get reputation for it" before Windows Defender would stop giving users warnings. Also, renewing certificate is not a thing. Every time you have to get a new one, with same story of "reputation" again.
No joke - it took me 2 weeks to get the CSC with about 4 hours per day working on just this CSC issue.
It's just a labyrinth of insanity from not having a listing on D&B to them insisting I pay $2k to expedite it.
I still don't have one from Apple because it requires a D&B number so I had to get a personal cert from them.
I went with a cheap one for Windows BUT it gives errors on install for like the first 1k downloads until Windows says it's legit.
It's a complete scam.
Just saying this could be painful. I guess we still have to go through this to help users to comply with their company policies.
I think it is better to have @ncannasse to get the cert first, since the process involves answering phone calls and filling out company info, which I guess I wouldn't be as convenient to do so.
Simn
commented
5 years ago @Neverbirth: Did I understand correctly that adding the metadata would be "good enough" for now?
Neverbirth
commented
5 years ago Sadly not :/. I provided to our IT department some lix version with the metadata and it was not enough... what I didn't get to check is if a "trusted" certificate is needed, I think a self signed one is good enough. I wanted to look into that one these past days but I was busy... Valid certificate would probably be needed for things like the ones mentioned above: antiviruses, UAC, etc.
SundialServices
commented
5 years ago I suspect that, in the end, a variation of the letsencrypt.org strategy will prevail, because it is most-important that the executable is signed, not that someone paid money or that someone else looked up an address in a phone-book and made a call that was answered.
"Code signing" fundamentally exists to resist tampering, not to "vouch for" the thing that was originally signed. Malware can easily be found in a signed package, and very often is, but we still know in that case that the malware was inserted by the bearer of that certificate, and not injected after the fact.
So, I fully expect that code-signing certificates will be "free," such that every executable will be signed, the benefit being obtained by the fact that a signature exists at all. Now you will know that "the package which you downloaded is, byte-for-byte, exactly what someone else "signed." And, that is enough.
ncannasse
commented
5 years ago There seems to be two kind of certs for code signing "normal" ones, and "EV ones", only the later gives instance Smartscreen Reputation, but it requires two-factor auth so I guess it's harder to automate, I'll get a normal one for now.
gene-pavlovsky
commented
5 years ago I've had some experience with this issue when I was doing a job for a client in USA.
With my guidance, they bought an EV code signing certificate from DigiCert. EV means "extended validation", and there are some differences:
On Windows, the signing can be done with SignTool command-line too, it comes with MS Windows SDK.
The EV cert from DigiCert has to be renewed every year, once bought, they send you an updater that uploads the updated certificate to the hardware USB token.
gene-pavlovsky
commented
5 years ago By the way it seems to be possible to use EV code signing certificates with CI/CD pipelines with some amount of setup involved: https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing/47894907#47894907 Many of the answers offered in there sound incredibly insecure, it seems that for the sake of automation people are introducing huge security holes which could lead attackers to sign what they want with your name. The official answer from DigiCert, by the way, says: "Unfortunately, part of the security with the EV Code Signing Certificate is that you must enter the password everytime. There is not a way to automate it.". They should have said specifically "there is no secure way to automate it".
Personally I think that unless you plan to make a new release once a week, it's safer to require manual intervention to enter the password to unlock the signing certificate. Otherwise anyone who manages to gain access to your CI, could sign whatever they wanted.
joshtynjala
commented
2 years ago I’ve been very happy using a normal/OV code signing certificate purchased from KSoftware to release Windows software that I develop and sell. They seem to offer the best pricing, if that’s any concern.
https://www.ksoftware.net/code-signing-certificates/
In my opinion, an EV certificate wouldn’t have added any important value for my business. I recall one SmartScreen-related question from a user soon after I started using the certificate several years back, but none after that. I guess my software gained enough reputation quickly (and it’s certainly less popular than Haxe), so EV kind of seems like a ripoff to me.
Hoping to see this improvement to the Haxe installation experience soon!
Due to how security works on my company we have problems being able to switch between Haxe versions. I checked with them and it looks like applications should be signed.
It seems also defining the binary metadata like Product name and Copyright could be helpful, but I wouldn't bet my life on it, as I saw in their system the word "Publisher" and that's just a certificate thing.