search

chromiumembedded / cef

Chromium Embedded Framework (CEF). A simple framework for embedding Chromium-based browsers in other applications.
https://bitbucket.org/chromiumembedded/cef/
Other
3.27k stars 456 forks source link

Signing the assembly for Windows platforms #3718

Closed GuildOfCalamity closed 3 months ago

GuildOfCalamity commented 3 months ago

For those of us whose perform security audits (SSF, BlackDuck, etc), this DLL is always flagged because it is unsigned.

Can we get a signed version in the future?

Even ILSpy struggles with it: image

magreenblatt commented 3 months ago

CEF doesn't provide signed binaries. Application distributors (e.g. you, or whomever created the application that you're using) should sign all binaries that are being distributed as part of the application.

GuildOfCalamity commented 3 months ago

CEF doesn't provide signed binaries. Application distributors (e.g. you, or whomever created the application that you're using) should sign all binaries that are being distributed as part of the application.

I've tried that but the libcef assembly is not signable for some reason (probably because of the missing PF data). Internally we sign all DLLs and 90% of the 3rd party DLLs are signed to begin with.

magreenblatt commented 3 months ago

I'm not seeing any issues signing libcef. Where are you getting the libcef DLL? Are you using CEF/C++ directly, or some wrapper project?

GuildOfCalamity commented 3 months ago

I'm not seeing any issues signing libcef. Where are you getting the libcef DLL? Are you using CEF/C++ directly, or some wrapper project?

It's possible we have an older version here, let me try fetching the latest binaries and try to sign them. BTW, I'm using the standard ildasm and ilasm for the signing process.

[UPDATE] When I try the latest 64-bit Windows binary I still am unable to sign it. I used the Standard Distro

ILSpy reports that "PE file does not contain any managed metadata."

Here are the properties for the library: image

amaitland commented 3 months ago

ILSpy reports that "PE file does not contain any managed metadata."

That's correct. libcef.dll is not a managed library. It's written in C++. There is no managed metadata.

GuildOfCalamity commented 3 months ago

ILSpy reports that "PE file does not contain any managed metadata."

That's correct. libcef.dll is not a managed library. It's written in C++. There is no managed metadata.

Understood. For a Windows user, what would be the correct way to sign the compiled binary since it is unmanaged?

magreenblatt commented 3 months ago

See https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

GuildOfCalamity commented 3 months ago

@magreenblatt Thank you!