search

cypherpunkengineering / cypherpunk-vpn-desktop

Cypherpunk Privacy VPN app for Windows / MacOS / Linux
Other
0 stars 0 forks source link

Code Signing on Windows and MacOS #68

Closed wiz closed 7 years ago

wiz commented 7 years ago

Downloading ExpressVPN doesn't give me a "This file may harm your computer" error, but Cypherpunk does.

Apparently this is not related to any certificate or crypto signing, but instead the "Safe Browsing" score of our website according to Google:

https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/resources/safe_browsing/README.md

It appears we are "UNCOMMON" so far.

% pkgutil --check-signature *1270*pkg
Package "cypherpunk-privacy-macos-0.8.0-beta-01270.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Cypherpunk Partners, slf. (3498MVRSX2)
       SHA1 fingerprint: A8 CE 2B 91 33 FF E5 D0 CC 97 56 B2 0F 39 66 06 3D 5E 8A 6A
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

% pkgutil --check-signature expressvpn-install_v6.4.2.1076.pkg
Package "expressvpn-install_v6.4.2.1076.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: ExprsVPN LLC (VMES9GFUQJ)
       SHA1 fingerprint: 98 14 69 AC CC 40 1F AC B8 B0 F9 A4 24 EF C0 66 CC 77 EB 5E
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

% spctl -a -vvv --type install expressvpn-install_v6.4.2.1076.pkg
expressvpn-install_v6.4.2.1076.pkg: accepted
source=Developer ID
origin=Developer ID Installer: ExprsVPN LLC (VMES9GFUQJ)

% spctl -a -vvv --type install *1270*pkg
cypherpunk-privacy-macos-0.8.0-beta-01270.pkg: accepted
source=Developer ID
origin=Developer ID Installer: Cypherpunk Partners, slf. (3498MVRSX2)
wiz commented 7 years ago

It may also be because currently our website uses JS to start the download in the background insetad of a "user gesture" - related links: https://codereview.chromium.org/9639003 https://developers.google.com/webmasters/hacked/docs/request_review?visit_id=1-636331058178180424-1344877982&rd=1

wiz commented 7 years ago

Fixed on website by changing download button to with this commit https://github.com/cypherpunkengineering/cypherpunk-web-frontend/commit/412fa93078961d2fbb02122533905a8c6b3efb90

wiz commented 7 years ago

https://developer.microsoft.com/en-us/dashboard/hardware jmaurice@cypherpunk.onmicrosoft.com

signtool sign /v /debug /ac digicert-high-assurance-ev.crt /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 98F13C0DFD947707626F192DA240C57D2E7D20B9 <file>
wiz commented 7 years ago 
C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86>certutil -repairstore -csp "eToken Base Cryptographic Provider" My 0E9222E50C6D292251250DB81066FBCB
wiz commented 7 years ago

Must connect HSM via passthru not virtual