Closed TheTechnologyStudio closed 3 months ago
emtec-jim
commented
6 months ago Download the agent from your remotely server like a customer would. Sign it with your own certificate. Host the signed version on your website for your customers.
That's what we did.
vespino
commented
6 months ago @emtec-jim please elaborate on how to do so, because this is the only hurdle for me using this system.
emtec-jim
commented
6 months ago You will need your own code signing certificate - you can either generate one internally (self signed, untrusted) or buy one from a commercial certificate provider. Once you have that, it's relatively simple.
That's the way we did it and it worked for us.
Theoretically it wouldn't be too hard to integrate binary signing into the Remotely download routine (there are Linux tools to sign windows binaries) but that is not something I have time to do right now - what we did worked for us and solved the problem, not ideal, but good enough.
vespino
commented
6 months ago OpenSSL to the rescue?
vespino
commented
6 months ago No success following this video, so I reverted back to Anydesk: https://youtu.be/m77p30bvY5E?si=B2roSyx1i2KE7ajB. I might return when the developers find a way to sign the .exe automatically for free.
godofjesters
commented
5 months ago that's how we do it as well, sign our exe after creation and host it on our webserver
vespino
commented
5 months ago I’d love to know how, like I said I wasn’t able to using the tutorial. Maybe there’s an easier way?
godofjesters
commented
5 months ago unfortunately i'm not the admin for my company that has access to our cert so i don't know the steps. i only know that we do have the exe created and we're able to sign it with our cert. it stops the exe from being stopped when downloading and as far as i've seen it doesn't trip any av's on our customers computers.
emtec-jim
commented
5 months ago I provided a link to the relevant Microsoft documentation already - https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool - there are numerous example commands at the end of that document that show you exactly how to achieve what you are trying to do.
At the most basic, signtool sign /f MyCert.pfx /t http://timestamp.digicert.com /fd SHA256 MyFile.exe is the command you need, substituting MyCert.pfx for your signing certificate and MyFile.exe for the remotely executable.
You WILL need to buy a code-signing certificate from a recognised CA for this to work properly.
vespino
commented
5 months ago The thing I love about open source, is its price. So there isn’t a way to do this for free? I mean Let’s Encrypt lets you encrypt everything for free on the web, so why not software? Certificates can be hella expensive.
godofjesters
commented
5 months ago No success following this video, so I reverted back to Anydesk: https://youtu.be/m77p30bvY5E?si=B2roSyx1i2KE7ajB. I might return when the developers find a way to sign the .exe automatically for free.
i honestly wish you luck.
abitlegacy
commented
5 months ago The thing I love about open source, is its price. So there isn’t a way to do this for free? I mean Let’s Encrypt lets you encrypt everything for free on the web, so why not software? Certificates can be hella expensive.
First, open source does not mean free. Second, if you own the endpoints (IE: Enterprise) then you can do it for free with a code signing cert issued by your internal PKI. You only need a public code signing cert (not an encryption cert) for a publicly trusted install. Due to the level of validation involved in a code signing cert, I doubt they'll ever be free. It's much more involved than let's encrypt where they're only validating ownership of a domain.
emtec-jim
commented
5 months ago If you aren't running a business you have no need to sign the executable - you know it's safe so just ignore the warnings. If you are running a business then the cost of a certificate is simply a business overhead that you need to account for. A cert can be had for under £200 a year if you shop around - hardly a significant expense given most RMM tools will cost you more than that for 10 endpoints in a year.
Code Signing certs require validation of the business/organization they are being issued to, they have to or they'd be useless for their intended purpose. That is never going to be free.
At any rate, you've had an answer to your question and this is veering way off topic so I'll leave it there.
Good luck.
gravasio
commented
5 months ago Hi, I think that this project needs code signing. Speaking form my company we will be happy to pay even a 100USD/year to have signed binary and MSI/EXE installe. Speaking as OSS enthusiast I would like to point you to SignPath Foundation (https://signpath.org/about/) hoping that you will ship a signed exe soon. Thanks
emtec-jim
commented
5 months ago The problem here is that the executable is customised for each installation, as such it needs to be signed when it's created. I know some projects have made this into something of a business model by charging for signed binaries but honestly I doubt the revenue generated would cover the overheads even if someone were to want to undertake it.
If there really is interest in this it would be far better to build the capability to sign the binaries into the application. There are open-source tools that can sign executables files so it should be possible to modify the application in such a way that you can upload a certificate (and key) which is then used to sign the downloads dynamically.
Yes, there are potential issues with that (it's never a great idea to have a key readily accessible) but it's probably the only way to get code signing into the Remotely app as things stand.
As I've said before, I don't have the resources to do this myself right now and there is a work-around for those who truly need it. Yes, it would be nice to have it but unless someone steps up to contribute the necessary code I can't see it happening,
gravasio
commented
5 months ago Hi, AFAIK the code signing for PE does indeed allow to embed specific data without resigning the code. Some reference in case someone is able to work on this for the project: https://learn.microsoft.com/it-it/archive/blogs/ieinternals/caveats-for-authenticode-code-signing https://github.com/mgaffigan/passdata/blob/master/PassData.ClientSide/StampReader.cs
This would allow to sign the installer within the software release and have all installs to embed the server address and server id
godofjesters
commented
5 months ago how often do you need to generate a new exe? you should only need to generate one when the server gets updated. generate one copy, sign it, get it to whoever. if you constantly need to generate a download, yes i can see the need for signing, but what am i missing?
bitbound
commented
3 months ago @emtec-jim and @godofjesters summed things up pretty nicely.
I'll just add that it's unlikely that Immybot will provide signed binaries. I can't speak for them, but I can think of a few reasons why I already know they'd say no.
I personally won't be purchasing a certificate to sign them either.
However, I did make changes in the latest preview image that I hope will help some of this.
463ebfa9dc6a1bdcafa643432c843067e5312b78 to verify authenticity.I understand this might not be the desired solution, but this is what I had time/resources to complete. Hopefully it helps some.
Is your feature request related to a problem? Please describe. Customers are scared to use support tool due to the exe not being signed and throws the errors on windows to confirm you want to download and run file.
Describe the solution you'd like Include code-signing for remotely or allow us to assign our own code sign cert into the agent builder. Possibly a 1 time fee of $100 dollars to use code signed version that way it is worth it?
Additional context The program is amazing but without code signing it is not able to act like a proper remote support tool.