goatcorp / FFXIVQuickLauncher

Custom launcher for FFXIV
https://goatcorp.github.io/
GNU General Public License v3.0
2.85k stars 333 forks source link

[CodeSigning] Sign the executeables in official releases with a trusted certificate #586

Open DrKittens opened 3 years ago

DrKittens commented 3 years ago

What is your suggestion/feature request? The releases page constantly advises to disable AV / ignore AV as this is detected as untrustworthy / potentially blocked. If this is occurring it is likely due to code reputation / lack of a code signature from heuristic checks.

A codesigning certificate for opensource products can be obtained from companies like certum for about $30

Simply signing the executeables with a trusted certificate should significantly reduce those false positives and thus overall improve the experience of the end-user and trust in the project as you'll no longer need to advertise the disablement of AV for a tool that securely handles credentials.

As this is a free & opensource product and this process is not free advertising a donation link for the purpose of funding codesigning would be beneficial to everyone as the target value is quite inexpensive but an additional cost on a free project is still a cost.

Describe how you'd like this to work

  1. A donation link be advertised in the readme
  2. Initial proceeds from the donations go towards procuring and renewing a trusted codesigning certificate for this (and other goatcorp) projects

Additional context Even if goatcorp elects to not procure a globally trusted codesigning certificate, please at least consider self-signing it so an end-user can elect to trust your certificate and AV solutions that look at certificates for code trust can begin building a reputation for your products to improve trust heuristics.

Limiana commented 3 years ago

Imo, if an user decides to use shitty antivirus that thinks that absolutely legitimate software is a malicious, it should be a problem of an user, not of an absolutely free open-source software developers. And this problem should resolved by AV developers. Then also what if donations will someday stop and there will be no more possibility to renew certificate? Additionally, link you have provided for 25 eur/year is only a renewal code that can be used only if you already have a reader and compatible card. Initial set that includes reader and a card costs 70 eur, or alternatively one could purchase cloud signing for 50 eur/year which does not requires reader and card. Additionally, prices are listed without tax and without shipping included, so resulting price will be even higher. Imo, if there would be donations open, I'd personally rather see them go into direction towards purchasing proper hosting instead of github, providing some cloud functions for plugin developers, or just as rewards for developers for their work, rather than paying to resolve problem that is artificially created by AV companies.

Also, while the cost of the certificate may be not very high, as far as I remember you will have to disclose your personal information together with it which may be not applicable.

DrKittens commented 3 years ago

Imo, if an user decides to use shitty antivirus that thinks that absolutely legitimate software is a malicious, it should be a problem of an user, not of an absolutely free open-source software developers.

As far as an antivirus knows a new build of this tool is a completely fresh totally unknown application unless the developer does something (code signature) to let the AV know its not some random shitware until the AV sees the unsigned application in the wild long enough. This is the kind of false positive users are going to get. eg Day0 / Day1 people picking a new release up.

Then also what if donations will someday stop and there will be no more possibility to renew certificate?

Then new versions wont be signed, that simple. Previous versions using the expired cert, if signed properly against a public (free) timestamping server wont have any reduced security / trust. Self-signing the binaries is suffiicent aswell, any identifier been present vs none is an improvement.

Additionally, link you have provided for 25 eur/year is only a renewal code that can be used only if you already have a reader and compatible card. Initial set that includes reader and a card costs 70 eur, or alternatively one could purchase cloud signing for 50 eur/year which does not requires reader and card.

My bad, picked it up from google in like 20 seconds, still cheap, one again any cert presence is a bonus, even a self-signed one.

Additionally, prices are listed without tax and without shipping included, so resulting price will be even higher.

Shipping on an email / secure download? K.

Imo, if there would be donations open, I'd personally rather see them go into direction towards purchasing proper hosting instead of github, providing some cloud functions for plugin developers, or just as rewards for developers for their work, rather than paying to resolve problem that is artificially created by AV companies.

Disagree with the need for dedicated hosting, lots of opensource products make use of github/ the free pages.github.io pagefor providing secure downloads, anything else is just additional overhead that serves no purpose. The releases page and potentially a project-centric free pages.github.io site would be sufficient tbh.

Everything else, including using potential donations to resolve this suggestion is subjective to the project owners personal choice. The takeaway here is a paypal/bitcoin link to get opportunistic no-commitments monetisation from the project is quick and doesnt really hurt them.

I personally dislike donations-led-design. If thats an option it should be a patreon link not a donation comment.

Problem artificially created by AV companies

Yes and no. Telling an end-user that "ignoring" something they downloaded from the internet in their AV is literally the worst advice you can give someone any steps a developer can reasonably take to prevent a standing instruction to end-users to whitelist a program in their antivirus should be taken if the developer is responsible.

Also, while the cost of the certificate may be not very high, as far as I remember you will have to disclose your personal information together with it which may be not applicable.

For the request, depending on country and provider, yes they need to ID you. In the certificate itself no, an organisation name can be used, no PII there.

Once again self-generated certs can be completely arbitrary and dont require you to provide any "real" information to generate one, this request boils down to "Sign the damn executeables with something static"

A self-signed certificate for all intents and purposes here doesn't reduce security and still proves loose binaries are a legitimate unadulterated release provided by goatcorp assuming goatcorp dont leak the privkey.

Limiana commented 3 years ago

As far as an antivirus knows a new build of this tool is a completely fresh totally unknown application unless the developer does something (code signature) to let the AV know its not some random shitware until the AV sees the unsigned application in the wild long enough. This is the kind of false positive users are going to get. eg Day0 / Day1 people picking a new release up.

Problem of an antivirus and an user using it, not a problem of a developer of a free open-source program.

Shipping on an email / secure download? K.

if you aren't buying signing in cloud, you have to obtain physical device from them

Disagree with the need for dedicated hosting

Tell that to every user who encounters github rate limits due to shared IP / people who have github connectivity issues due to being located in countries that are limiting access to external websites

Telling an end-user that "ignoring" something they downloaded from the internet in their AV is literally the worst advice you can give someone

Well, what else to do if end-users are using shitty products? I have a better advise in this case: just don't use shitty antiviruses, and if you are using them, learn how to manage them properly yourself.

For the request, depending on country and provider, yes they need to ID you.

I personally see a problem here

Can't give any opinion about self-signed certificates since I have no experience of working with them.

DrKittens commented 3 years ago

Not really a productive conversation to continue, just leaving an observation that you dismiss the suggestion to improve a useability and trust in the tool request as "not the problem of the developer of a free open-source problem" then backup your own suggestion of an alternative host with an argument that also can be answered with "not the problem of the developer of a free open-source program" where your suggestion actually requires more money and effort to maintain as oppossed to a slip flag in at compile time

Your requirement could be fixed with download mirroring, if the code was signed with a cert (free, paid, doesnt matter so long as itsidentifiable back to the source project on git) ANYONE could upload a mirror of the binaries to ANY filehost and the code signed package would suffice as proof of legitimacy / a meaningful check the installer hasnt been adulterated.

Signed code facilitates a free communal based fix for your problem by adding proof the binaries provided came from a valid source regardless of where they were downloaded from.

Limiana commented 3 years ago

Your requirement could be fixed with download mirroring

No, it couldn't be fixed that way, as you don't download manually anything but initial setup file, any further updates and downloads (including Dalamud) are handled by launcher itself.

Signed code facilitates

...situation where open source, free software developers are being pushed towards paying money and providing their real life identification (and therefore associating their code with their real identity) to resolve artificially created problem of their software marked as malicious. User should learn:

then backup your own suggestion of an alternative host with an argument that also can be answered with "not the problem of the developer of a free open-source program"

No, not really. Developers specifically selected to use limited github api to check for updates; I'm not blaming them at all - they are using tools that are available here and now for free and would I be xivlauncher's developer, chances I'd do the same are extremely high. But it's out of end user's control if they are happened to have shared IP with someone else who exhausted api limits. While presence and settings of an antivirus - is actually under direct user's control.

Not really a productive conversation to continue

If an opinion contrary to yours is spoken out, that does not makes it non-productive conversation.

goaaats commented 3 years ago

Thanks for all of your feedback. I may start at least self-signing the launcher soon and will look into ways to get it done properly.