Open strogonoff opened 4 years ago
No idea why this happens...? Will need to investigate.
I was not sure whether we have Windows signing at the moment of filing.
If we do sign and this happens, perhaps adjusting Windows settings could address that? Maybe there is a similar trust level hierarchy "app store approved" / "signed" / "unsigned" on Windows, I’m going to have that investigated…
On 31 Jul 2020, at 9:47 AM, Ronald Tse notifications@github.com wrote:
No idea why this happens...? Will need to investigate.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
(although “Unknown published” must mean something is not right with signing)
On 31 Jul 2020, at 9:47 AM, Ronald Tse notifications@github.com wrote:
No idea why this happens...? Will need to investigate.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
Yes we have Windows signing; previously the signing worked -- no warning was displayed on my Windows machine on launch of the application. The Windows code signing certificate is from DigiCert.
Yes we have Windows signing; previously the signing worked -- no warning was displayed on my Windows machine on launch of the application. The Windows code signing certificate is from DigiCert.
@ronaldtse it appears that this warning is displayed only when you open the app for the first time. (Presumably, for each new version too.) I still think it has something to do with signing
It was confirmed with latest v1.6.17
We're apparently missing Windows signing in this repo.
The issue is still present in the latest version Glossarist 1.6.38.
Windows signing in this repo is enabled, and you can see in the build logs. It seems to succeed.
https://github.com/glossarist/glossarist-desktop/runs/1135873363?check_suite_focus=true
2020-09-18T20:52:53.6120773Z • install prebuilt binary name=keytar version=6.0.1 platform=win32 arch=x64
2020-09-18T20:52:53.9214455Z • packaging platform=win32 arch=x64 electron=9.1.1 appOutDir=dist\win-unpacked
2020-09-18T20:52:54.4634430Z • downloading url=https://github.com/electron/electron/releases/download/v9.1.1/electron-v9.1.1-win32-x64.zip size=70 MB parts=4
2020-09-18T20:52:56.0734680Z • downloaded url=https://github.com/electron/electron/releases/download/v9.1.1/electron-v9.1.1-win32-x64.zip duration=2.111s
2020-09-18T20:53:04.3448090Z after build; disable sandbox
2020-09-18T20:53:04.8849840Z • downloading url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z size=5.6 MB parts=1
2020-09-18T20:53:05.4275786Z • downloaded url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z duration=966ms
2020-09-18T20:53:06.5467495Z • signing file=dist\win-unpacked\Glossarist.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:53:10.2819633Z • building target=nsis file=dist\install-glossarist-desktop-1.6.40.exe archs=x64 oneClick=true perMachine=false
2020-09-18T20:53:10.2822033Z • building target=portable file=dist\glossarist-desktop-1.6.40-portable.exe archs=x64
2020-09-18T20:53:11.2075931Z • downloading url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z size=1.3 MB parts=1
2020-09-18T20:53:11.2077815Z • downloaded url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z duration=747ms
2020-09-18T20:53:12.3343836Z • signing file=dist\win-unpacked\resources\elevate.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:51.8865021Z • downloading url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z size=731 kB parts=1
2020-09-18T20:54:52.2273760Z • downloaded url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z duration=678ms
2020-09-18T20:54:53.6719133Z • signing file=dist\glossarist-desktop-1.6.40-portable.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:53.7076670Z • Signing NSIS uninstaller file=dist\__uninstaller-nsis-glossarist.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:55.2206117Z • publishing publisher=Github (owner: glossarist, project: glossarist-desktop, version: 1.6.40)
2020-09-18T20:54:56.2066206Z • uploading file=glossarist-desktop-1.6.40-portable.exe provider=GitHub
2020-09-18T20:54:56.2292125Z • signing file=dist\install-glossarist-desktop-1.6.40.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:57.9975555Z • building block map blockMapFile=dist\install-glossarist-desktop-1.6.40.exe.blockmap
2020-09-18T20:54:58.8300126Z • uploading file=install-glossarist-desktop-1.6.40.exe.blockmap provider=GitHub
2020-09-18T20:54:58.8319026Z • uploading file=install-glossarist-desktop-1.6.40.exe provider=GitHub
2020-09-18T20:55:01.2373329Z Done in 128.72s.
Perhaps if someone can show the signature details using SignTool.exe? https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature
@batyr-tar will take a look at it
So far I think these are two somewhat separate issues:
Once proper signature is confirmed, I think we can consider this screen “unfixable” until Microsoft’s reputation black box starts favoring us.
The certificate chain looks adequate, but for some reason is not trusted. I am not sure whether it is an issue with my Windows or SDK installation. Digital Signatures tab in Properties shows no problems.
Thanks @batyr-tar
Same error on another Windows machine:
Verifying: C:\Users\froot\Downloads\install-glossarist-desktop-1.6.40.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 2693FA123AE5A7925C043B11AB2C6F730EB8B1CC
Signing Certificate Chain:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Mon Nov 10 07:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Code Signing CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Oct 22 19:00:00 2028
SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
Issued to: Ribose Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Fri Nov 18 19:00:00 2022
SHA1 hash: 597A5F33C2C77E37D60D034E89A94AF8DA8BF4E7
The signature is timestamped: Sat Sep 19 03:54:56 2020
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Mon Nov 10 07:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert Assured ID CA-1
Issued by: DigiCert Assured ID Root CA
Expires: Wed Nov 10 07:00:00 2021
SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117
Issued to: DigiCert Timestamp Responder
Issued by: DigiCert Assured ID CA-1
Expires: Tue Oct 22 07:00:00 2024
SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
This may be related...
https://docs.microsoft.com/en-us/security/trusted-root/2020/july2020
This release will add the EV Code Signing OID to the following roots:
...
16. Digicert \ DigiCert Assured ID Root CA \ 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Apparently it is supposed to be around? Woot?
Ah, someone else has run into this issue: https://github.com/storj/storjshare-gui/issues/36#issuecomment-236581696
yes, saw that issue too
the certificate is supposed to be trusted since July so it's unclear why it's an error
note that those guys don't get verification error from signtool but we do!
On 21 Sep 2020, at 9:56 AM, Ronald Tse notifications@github.com wrote:
Ah, someone else has run into this issue: storj/storjshare-gui#36 (comment)
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.