Digitally Sign the Installer

[chrisdeke]

Is your feature request related to a problem? Please describe.

Security best practices now require application whitelisting, which greatly increases the value of digitally signed executables.

Describe the solution you'd like

Please consider signing all your executable files!

Area of issue

Installation/Other

Alternatives you've considered

No response

Additional context

No response

[RoozerXC]

The biggest problem with signing executables with trusted certificates is that it would cost nearly thousands of dollars per year (or more than thousands for 3+ years), which can get extremely difficult to maintain and would be a huge waste even if the developers had the resources to do so. Even creating their own certificate (a self-signed one to save money and resources) would never be a viable choice as it would automatically get blocked by Windows, and still display the "Unknown Publisher" warning whenever the user tries to run it.

There is also the possibility where malware can get signed using fake certificates and bypassing Windows SmartScreen through various means. I am not sure if this has been done via proof-of-concept before, but I am confident that there could be samples out there that have exploited Windows SmartScreen.

Another issue is that application whitelisting has some downsides. Some methods of application whitelisting check if the file name and size are the same as the original executable. For example, if my executable file was named HateIsPeace.exe and it is 7.36 MB (7,721,472 bytes), there could be a possibility where malware would be able to replicate its exact size using garbage data paired with their own malicious code, with the same name as my original executable file.

If people are really that uncertain that the software they're going to use will or won't do anything malicious to their machines, they can always audit the code and compile their own binaries (since the project is open-source), and scan the binaries via VirusTotal or run it through a sandbox, even if the file does not have a digital signature.

Overall, I don't think it is feasible for the developers to digitally sign all of their executables due to the hefty pricing and resources needed to do so. I do not work for Open-Shell, but that's all I can really give from an individual developer's point of view.

[xcy7e]

and scan the binaries via VirusTotal or run it through a sandbox, even if the file does not have a digital signature.

Interestingly, VirusTotal (at least via ProcessExplorer) indicates some matches, for the copy I obtained from Github. Sure it's not scanning the binaries, but the process overall seems suspicious to VirusTotal. Why is that?

See: https://www.virustotal.com/gui/file/df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf/detection

[RoozerXC]

and scan the binaries via VirusTotal or run it through a sandbox, even if the file does not have a digital signature.

Interestingly, VirusTotal (at least via ProcessExplorer) indicates some matches, for the copy I obtained from Github. Sure it's not scanning the binaries, but the process overall seems suspicious to VirusTotal. Why is that?

See: https://www.virustotal.com/gui/file/df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf/detection

Since the program is open-source, you can just audit the code. I don't see why an open-source program would seem suspicious with 4 detections from obscure antivirus brands (usually, we try to find detections from well-known brands: Microsoft, Avast, Malwarebytes, Kaspersky, McAfee, Sophos, Symantec) unless it is actually that malicious (again, reason why a sandbox/virtual machine is recommended before running anything on your own machine). I wouldn't rely on the first four detections anyways.

If that still sounds like an issue, then you can always try building Open-Shell yourself with the source code.

[MrGrymReaper]

Apparently there's Asseco Data Systems S.A. who provide the Certum code signing certificates service. Then on the Certum Shop store there's an item for buying Code Signing Certificates which is dedicated for Open Source software. It is a fairly low price considering that the normal cost of buying a code signing certificate is hundreds of dollars. In this case it is just currently as of writing ranging between 29.00 Euros and 69.00 Euros.

https://www.assecods.pl/en https://shop.certum.eu/data-safety/code-signing-certificates.html