Code signing

[tushev]

Hi,

I would like to ask you to consider signing the installer - not to get rid of AV warnings, but for authenticity reasons.

I'm aware that it costs money ($29/yr at Certum OpenSource Signing), so I cannot ask for AuthentiCode. But even GPG signatures would be OK.

I (and probably many others) would like to be sure that the binaries are really coming from (and authorized by) you.

[chrisant996]

It's more complicated than that.

There are three kinds of signing. I understand you're not asking for signing to get rid of antivirus warnings, but just to be clear none of the code signing mechanisms prevent false positive detections from anti virus suites.

Update: There's a fourth kind of code signing; Certum Open Source Code Signing. See bottom of this comment for details.

Self signed

I could make my own certificate, and sign using that.

Every user would have to manually download my certificate and manually install it into their Trusted Root certificate collection. Also, when an employer locks down a computer, that is blocked. This is arguably a worse experience than unsigned, for most users.

Self-signing doesn't get past SmartScreen's reputation filter.

Code Signed

I could pay a couple thousand dollars every couple of years to get a basic code signature.

It's true that sites advertise signatures for anywhere from $29 to $99 to $199 etc per year. But that is a misleading number: it is the price of only the certificate itself.

What they don't mention until later in the purchase transaction is that you also have to pay an attorney to research you and draw up documents to prove that you are a real person and that you are not malicious. That is several hundred dollars, minimum, and can reach a couple of thousand dollars.

Code signing doesn't get past SmartScreen's reputation filter.

I am still considering spending up to $1500 for this, but also be aware that is the cost every couple of years. This is actually very expensive for an independent open source author.

EV Code Signed

Only public companies with multiple employees can get EV Code Signing, and it costs a lot more money. I am not a public company, nor do I have any employees.

EV code signing gets past SmartScreen's reputation filter, but not past anti virus detection.

UPDATE: There's a fourth kind of signing.

Certum Open Source Developer Code Signing

See Certum Open Source Code Signing for more information. As of this writing, the cost is $89 for a cert plus hardware card to store it, and $36 shipping to the USA. Renewal is expected to be $29 per year.

[chrisant996]

Short version:

This is not likely to happen in the near future.

$29 is very misleading; that's the price of only the certificate itself. You must pay several hundred dollars (potentially a couple thousand) to have an attorney research you and write up documents to prove you are who you say are and that you're not malicious.

[tushev]

@chrisant996 OK, thank you for your reply!

And what about GPG signatures? They require zero legal and financial investment, and still provide a good level of verifying the authenticity of the packages. All you need is to generate a GPG key (if you don't have one already), and sign binaries with a detached signature. Then anyone who is concerned will be able to verify the signatures. And the majority of unconcerned users can continue downloading without any UI/UX changes :)

[chrisant996]

And what about GPG signatures? They require zero legal and financial investment, and still provide a good level of verifying the authenticity of the packages. All you need is to generate a GPG key (if you don't have one already), and sign binaries with a detached signature. Then anyone who is concerned will be able to verify the signatures. And the majority of unconcerned users can continue downloading without any UI/UX changes :)

That's "Self Signed", which I discussed in my previous reply.

I'll try looking into that again when I get a chance, but I thought signing binaries with a certificate that isn't installed in the Trusted Root certificate collection led to more prompts and potentially more blocking. I was under the impression it can actually produce a worse experience for the majority of users.

[tushev]

@chrisant996 thanks again. If you would need any help should you decide to implement it, feel free to contact me.

I was under the impression it can actually produce a worse experience for the majority of users

GPG signatures differ from AuthentiCode code signing (aka "the usual certificates"). They produce a file with detached signature, like clink.1.4.25.e0d48c_setup.exe.sig. You normally would put this file into Release assets: https://github.com/notepad-plus-plus/notepad-plus-plus/releases/tag/v8.5.3 , and only the people who are interested in it would download it. The EXE/ZIP itself remains completely intact; Windows UX remains unchanged as well.

[chrisant996]

I understand what you're suggesting, now.

Clink has an auto-updater. Would you disable the auto-updater? You would need to, in order for GPG signing to have any meaningful value.

I have to admit, I'm a bit skeptical about the practical value of GPG signing executables on Windows. It seems like it merely enables manual detection of tampering after the tampered binaries are likely to have already been executed.

1. It can be used to manually detect if the local files are modified. That's not a very credible threat; if something can modify the local files then you have a much bigger problem. Clink binaries are a very low value target, and if they can be modified/replaced/deleted then it means an unlimited supply of much higher value targets can also be modified/replaced/deleted.
2. It can be used to manually detect whether files manually downloaded from github have been victim to either a man-in-the-middle attack or github itself having been compromised. Those could potentially happen. But how many people go through all the manual effort needed for every file that's downloaded for everything that's GPG signed? And again if github is compromised then you have much bigger problems. And if your network is compromised then you have much bigger problems. GPG signed Clink seems like a fraction of a drop in the bucket in either of those scenarios.
3. Neither GPG signing nor any other kind of signing are effective if the author's account or computer are compromised. Any time you trust a signature, you are trusting that nothing got compromised on the author's side.

I don't think GPG signing offers much practical value here.

With that said, if someone wants to add a framework for GPG signing Clink builds, please share a PR and I'll certainly take a look!

In the meantime, I'm more likely to pay an attorney to draft the necessary documents and enable normal code signing. Though that isn't a priority for me at the moment.

[pukkandan]

While I agree with the limited practical use, all you need to do is generate a key pair, publish the public key in the repo, gpg --import the private key in your system, and add a gpg --batch --detach-sign <exe_file> to your release workflow.

With that said, if someone wants to add a framework for GPG signing Clink builds, please share a PR and I'll certainly take a look!

There isn't really anything for a PR since you'd have to do most of these steps yourself.

[chrisant996]

generate a key pair, publish the public key in the repo, gpg --import the private key in your system, and add a gpg --batch --detach-sign <exe_file> to your release workflow. There isn't really anything for a PR since you'd have to do most of these steps yourself.

No, release generation is fully automated, not manual.

That list doesn't include the main work items:

1. Update the release action in installer/premake5.lua to sign the files and generate a .zip file containing the detached signatures.
2. Write documentation about how to use the GPG signature certs to verify the files.

Those are what a PR would contribute.

On Windows, GPG signatures are for a niche audience, and have little practical value. If someone produces a PR for GPG signing releases, I'm willing to review the changes and give feedback, and merge them once approved. (And of course, upload an additional .zip file each time a release is published.)

[chrisant996]

@tushev In case it got missed, this is worth reiterating:

Clink has an auto-updater. Would you disable the auto-updater? If you'd leave the updater enabled, then GPG signing would have no value at all.

The only material value in GPG signing the Clink installer or binaries inside the .zip file is for verifying copies of the installer or .zip files cross-posted to other sites. I only maintain github as a release point, and I'm not going to spend my time helping people feel slightly more safe when downloading from unsupported non-official sites.

But if someone produces a PR to update the automated release action and add docs (see previous reply) then I'll review and merge the PR once approved.

P.S. And if it's desired to have the auto-updater support verifying GPG signatures automatically, then there is a lot of additional work to be done to add code for that into Clink, and to add documentation for how to configure the computer to enable Clink to verify signatures automatically.

[tushev]

@chrisant996 Yes, I see your point. If release generation was manual, then it would be as simple as three clicks in Kleopatra + touching the Yubikey (if you have one), and uploading the *.sig files along with other files. With automated releases, it's quite an effort to integrate it. Especially because it's not recommended to store the private key "somewhere" in the cloud - it literally brings zero security value. The whole point of GPG signing is to mitigate possible 'cloud' / 'distribution point attack' against a possible compromise / account takeover.

Would you disable the auto-updater?

If the code is not signed, I tend to put some effort into verifying it - so I always disable it everywhere and update manually.

And if it's desired to have the auto-updater support verifying GPG signatures automatically, then there is a lot of additional work to be done to add code for that into Clink

Actually, it's just downloading two files instead of one (with names sanitation), followed by execution of gpg --verify \"${tempSigFileDownloadName}\" shell command. If that command's exit code is 0, then the signature is valid. If it fails (no gpg installed, no key in pubring, etc) - just stop updating and display error message. And sure, this all should be turned off by default. This is definitely not for general users. The only docs required are a name of configuration flag - people who use GPG definitely know how to import your pubkey into the keyring etc.

Well, if your releases are built and uploaded to GitHub automatically - I don't see any reason to put a significant effort and modify this process. But if you were uploading release assets manually, then it's just one small extra step.

Anyway, Authenticode 'true' code signing would be better.

BTW, it's the first time I hear about such a great $1500 legal effort. My two friends obtained OSS certs from Certum, and all that they provided were photos of biometric travel document + video of them holding this document + photos of utility bill + GitHub link. It was (€69 for a certificate itself together with a set of smart card and reader) + shipping into their country. The renewal is just €25.

[pukkandan]

No, release generation is fully automated, not manual.

I did not realize that, sorry. I looked at Actions and didn't see anything, so assumed it is manual. Didn't know the code for release process would be in installer folder.

[chrisant996]

BTW, it's the first time I hear about such a great $1500 legal effort. My two friends obtained OSS certs from Certum, and all that they provided were photos of biometric travel document + video of them holding this document + photos of utility bill + GitHub link. It was (€69 for a certificate itself together with a set of smart card and reader) + shipping into their country. The renewal is just €25.

I thought I replied to this already, but I can't find my reply. 🤔

Thanks for sharing that info, that's helpful, and I'm looking into that further.

Are you sure your friends got code signing certs, and not just SSL certs? They're not the same thing, and code signing certs typically are upwards of $150 per year, with minor discounts if you buy multiple years. For example, at Comodo and Certrum.

Certrum offers code signing certs for $129 per year (not $29), if you get the 3-year discount.

[tushev]

Are you sure your friends got code signing certs, and not just SSL certs?

Absolutely sure.

These $29 certificates are "Open Source Code signing certificates", intended specifically for (and limited to) OSS. Your name in cert will be stated as "Open Source Developer, Chris Antos".

This is how it looks like with KeePass:

See for yourself: https://shop.certum.eu/open-source-code-signing.html and https://support.certum.eu/en/code-signing-required-documents/ (the last one is just a generic info, my friends were asked for photos of biometric travel document + video of them holding this document + photos of utility bill + GitHub link).

[chrisant996]

Ah! Thank you for the additional clarification. I'd never found a special cert type for open source software developers. That may also explain why it was easier/cheaper to provide proof of identification.

I may go with that for now. It's $89 to get the cert plus the required hardware card for storing the cert (which is a new requirement in the industry as of March 2024), and then $29 per year after that.

Update: Plus $36 shipping and handling, so $125 total.

Update 2: After creating an account, the cart changed to $89 for the first time cert bundle, $4.00 shipping, and $21.39 tax, for a total of $114.39. That's not bad.

Update 3: And now it's back up to $89 plus $36 shipping, with no mention of tax. ¯_(ツ)_/¯

[chrisant996]

I made the purchase, and it is marked as "in progress". Presumably once I verify my identity then the purchase can complete. I haven't received any instructions yet for how to verify my identity, but my purchase was made outside of working hours. Hopefully in the next couple of business days I'll hear back.

[tushev]

Well, this is good news! Thanks!

which is a new requirement in the industry as of March 2024

Yeah, after thousands of stolen private keys they finally decided to enforce smartcards not only for EV/Kernel code signing, but for all certs.

That may also explain why it was easier/cheaper to provide proof of identification.

It's a kind of 'their contribution into Open Source'. Sure, they are charging $29 to compensate for their expenses, and maybe still getting some minor profits. I doubt that verification process is different for commercial certs (except EV, of course). So most of those $120-$500 are simply companies' profit...

And now it's back up to $89 plus $36 shipping, with no mention of tax. ¯(ツ)/¯

These were initially $4 for DHL + 23% Poland VAT tax, and then it switched to US delivery.

[chrisant996]

The order is en route, with delivery estimated Monday. There was apparently no proof of identity needed. 🤔 I guess that's good news? It's a little confusing, though. 😄

Or maybe the hardware card is being sent, and the certificate will be a digital transaction after that, and after some proof of identity process that hasn't been mentioned yet? We will see, soon. 😉

[chrisant996]

I received the code signing USB dongle.

The instructions seem highly inaccurate. There are missing steps, errors about what options are present on screens and what they're called, and wrong information. Maybe it's mostly due to translation errors?

For example, there was no information on whether/when/how to insert the smart card into the USB key. The manual for the USB key also had no information about that. It was easy to find with an internet search, though.

The instructions only said "Initiate a regular card profile". There is no "regular card profile" available. I suppose it must be a translation error and "common" is the intended choice. Since the first option of "secure card profile" starts an initialization process which requires generating keys, which fails with no explanation of why, but looks like it needs a PIN, which isn't present yet because the profile is being initialized.

Once I figure out how to solve the documentation riddles, then apparently it will start another process for verifying my identity.

[tushev]

Wow, that's a fast delivery!

Hope you will find these helpful:

• https://blog.assarbad.net/20221110/certum-open-source-code-signing-certificate/
• https://blog.inkdrop.app/code-signing-certificate-for-indie-developers-564f86492957
• https://www.msz.it/a-cheap-code-signing-certificate-for-open-source-projects-by-certum-asseco-an-honest-review-walkthrough/

[chrisant996]

Automated verification is in progress. It's unclear what the next step is -- the instructions don't seem to cover what the next step is. They said "automatic verification will take no more than 5 minutes", but since that was 20 minutes ago, I'm guessing it meant automatic collection of documents will take no more than 5 minutes, but the processing may take days.

Presumably now I wait for one or two business days in Gdansk time zone for manual verification of the automatic verification documents.

Apart from the highly confusing documentation, it's been a good experience so far. Many of the documentation problems appear to be due to different word choices when translating the web site to English versus translating the instructions to English. But there were also crucial steps just completely missing. 😄

... But I noticed that the verification documents expire on 6/25 (Sunday). And it's after business hours on Friday in Gdansk right now. Hopefully there's a Certum employee handling verification on the weekend, so that the verification attempt doesn't expire and turn into requiring the longer and more involved manual verification process. 🤞

[chrisant996]

Success.

[tushev]

@chrisant996 Thank you very much!!!

[chrisant996]

Thanks for telling me about Certum's open source code signing. For a long time I've been looking for a way to sign with authenticode for less than $100/year (without resorting to self signing), but I'd never found Certum. This is great. 😎