Closed romanrozinov closed 2 years ago
romanrozinov
commented
3 years ago I am aware of #708 but this issue is related to psm1 install script itself which i believe should also be signed, if not already, to allow greater adoption in enterprise environments.
JanDeDobbeleer
commented
3 years ago We've talked about code signing before but the certificates are way too expensive for a project such as this. So, unless you can add an exclusion in Sentinel (that should be possible though on company level), or we find a sponsor for said certificate, there's not much we can do for the time being.
JanDeDobbeleer
commented
3 years ago @romanrozinov missed your second comment. I'm curious, what happens when you use scoop/winget to install the oh-my-posh executable? Because the module is simply a wrapper for that anyways.
mcroach
commented
3 years ago Possible solution to this eventually may be https://sigstore.dev/ managed by the Linux Foundation. In its current form it appears to support signing of Linux/Windows executables. Not sure if in its current form it could also be used to sign powershell modules or if that might be a future option.
JanDeDobbeleer
commented
3 years ago @mcroach yup, it was hinted before. Waiting on it to come to life. In theory, having the executable signed should be sufficient.
fasterinnerlooper
commented
3 years ago This Twitter thread has some suggestions: https://twitter.com/mehedih_/status/1411969294724968449?s=21
ShaneYu
commented
3 years ago Not sure if this is related or not, but McAfee is flagging the .exe as a detected threat containing a Trojan virus.
Edit: I can see it's related and it's also affecting all install methods (PS, winget etc); even downloaded the source and tried to build it and McAfee jumps on it. Really big shame as I love using it at home.
JanDeDobbeleer
commented
3 years ago We're eagerly awaiting a sponsor or sigstore coming to life :-)
darkvertex
commented
3 years ago @JanDeDobbeleer Did you know there is a handy Github Action for autoscanning releases for viruses via the awesome VirusTotal API?
Maybe it'd be worth adding it to the release workflows eventually: https://github.com/marketplace/actions/virustotal-github-action
Won't fix your ocasional false positive but it may help you a) spot which AV engines are flagging your executables, and b) may help give people more confidence the threat is false if they can click through to a linked virus scan report that shows there is 1 lonely false positive out of 92 antivirus engines utilized.
If you've never heard of VirusTotal before, it's a great tool that scans a file with a ton of commercial and free antiviruses all at once. Here's an example scan from the 5.16.5 amd64 exe.
jonaskuske
commented
2 years ago We've talked about code signing before but the certificates are way too expensive for a project such as this.
Not sure if that's helpful here, but I've added this affordable OSS certificate to my bookmarks some time ago: https://shop.certum.eu/data-safety/code-signing-certificates/open-source-code-signing-on-simplysign.html
Some limitations apply, don't know if they're a dealbreaker:
MattBDev
commented
2 years ago Since signing certificates are expensive have you considered packing as a MSIX and publishing in the Microsoft Store? It doesn't completely solve the issue since some Windows machines may have a group policy set that blocks the Store but does sign the app. My company uses Cortex XDR and OhMyPosh was detected as a threat and blocked.
JanDeDobbeleer
commented
2 years ago @MattBDev if you have a good guide on how to set this up, let me know. Always down for this.
MattBDev
commented
2 years ago JanDeDobbeleer
commented
2 years ago I'm actively working on this. Expect this to land within the next week(s) if all goes according to plan.
floh96
commented
2 years ago @JanDeDobbeleer btw yesterday i discovered the digicert MVP Program https://www.digicert.com/friends/msmvp/ just fyi
JanDeDobbeleer
commented
2 years ago @floh96 I'm actively working on that, pending identity validation but it takes time (planned for next week Friday).
mekwall
commented
2 years ago 
Just a heads up that the latest update is getting flagged by Windows Security.
JanDeDobbeleer
commented
2 years ago Keep me in the loop as to how this evolves:
OranguTech
commented
2 years ago @JanDeDobbeleer - FWIW, it worked for me just fine on a new-ish Win10 install:
PS C:\Windows\System32>winget install JanDeDobbeleer.OhMyPosh -s winget
Found Oh My Posh [JanDeDobbeleer.OhMyPosh] Version 8.13.1
This application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
Downloading https://github.com/JanDeDobbeleer/oh-my-posh/releases/download/v8.13.1/install-amd64.exe
██████████████████████████████ 6.55 MB / 6.55 MB
Successfully verified installer hash
Starting package install...
Successfully installed
Works fine here as well! No false positives by Windows Security 🎉
github-actions[bot]
commented
10 months ago This issue has been automatically locked since there has not been any recent activity (i.e. last half year) after it was closed. It helps our maintainers focus on the active issues. If you have found a problem that seems similar, please open a discussion first, complete the body with all the details necessary to reproduce, and mention this issue as reference.
Prerequisites
CONTRIBUTINGguideDescription
As part of the rollout attempt of oh-my-posh to the development team, it is detected as a threat by SentinelOne software. Vendor's response is that increasing reputation score would help by singing the executable with Microsoft's Autneticode technology, see SignTool.
Hence the request for enhancement to establish the signature for the installation executable, as opposed to relying on static hashes every release.
Environment
Optional
Steps to Reproduce
Install-Module oh-my-posh -ForceExpected behavior: [What you expected to happen]
Installation should be successful.
Actual behavior: [What actually happened]
Installation is aborted due to antivirus flagging the executable.