Open listerr opened 1 year ago
@jaimecbernardo and @cinnamon-msft this is a solid idea. Does scoobe need an update to it if we migrate the formate a tad?
@jaimecbernardo and @cinnamon-msft this is a solid idea. Does scoobe need an update to it if we migrate the formate a tad?
It does, in order to not show the hashes in scoobe. I don't think there's an issue with them showing for some versions if we don't get it right, though ;)
For reference, we're using some regexes for this that are defined here: https://github.com/microsoft/PowerToys/blob/f41fe145fc77048389697fc1e50b884b98d5d9a9/src/settings-ui/Settings.UI/OOBE/Views/OobeWhatsNew.xaml.cs#L58-L59
Looking at that regex, it seems we used to say it's SHA256 previously on some releases, like https://github.com/microsoft/PowerToys/releases/tag/v0.56.2
There seems to have been a spate of free/open source projects (like OBS) being cloned, having malware embedded in them, and malicious actors placing Google ads to trick users into downloading malware/trojanned versions of the software etc.
It's becoming increasingly difficult to validate if "random .exe I downloaded from the Internet" is safe to run, even with supposedly reputable projects, when malicious actors create convincing clones of their websites with copies containing malware for download.
Seems it's too fiddly for Windows users to validate the SHA256 (It's not something that would occur to most Windows users) and there aren't clear instructions here for doing so.
The primary recommendation on your page is to install "Via GitHub with EXE [Recommended]" (i.e. download a random .exe from the Internet) and run it without any warning or clear instructions how validate the SHA256 checksum before installing it.
This is probably not something you want to encourage most users to do.
The primary install method should be to install from the MS Store, or if you want newer versions, a package manager like scoop/winget. (Which is mentioned in places, but perhaps a more prominent mention that it's likely safer to install this way.)
There seems to have been a spate of free/open source projects (like OBS) being cloned, having malware embedded in them, and malicious actors placing Google ads to trick users into downloading malware/trojanned versions of the software etc.
It's becoming increasingly difficult to validate if "random .exe I downloaded from the Internet" is safe to run, even with supposedly reputable projects, when malicious actors create convincing clones of their websites with copies containing malware for download.
Seems it's too fiddly for Windows users to validate the SHA256 (It's not something that would occur to most Windows users) and there aren't clear instructions here for doing so.
The primary recommendation on your page is to install "Via GitHub with EXE [Recommended]" (i.e. download a random .exe from the Internet) and run it without any warning or clear instructions how validate the SHA256 checksum before installing it.
This is probably not something you want to encourage most users to do.
The primary install method should be to install from the MS Store, or if you want newer versions, a package manager like scoop/winget. (Which is mentioned in places, but perhaps a more prominent mention that it's likely safer to install this way.)
I see your point, but there are countless tutorials on how to validate checksums.
Donwloading from the GitHub release page is the safest way as we're uploading the exe first here, before it gets copied to other platforms. And by installing via MS Store or winget you can't check the hash as the installer is executed immediately. I certainly don't want to say the other install methods are less safe, but downloading the exe from our release page is the safest, most updated way to download PowerToys.
What if someone clones this entire GitHub repo to another GitHub repo, embeds malware in either the installer, or one or more tools, (including mentions of the checksums and updates them) and then pays Google to place an ad at the top of search results for "powertoys" to point to this copied repo? It's clear that Google doesn't care about malicious ads, or do any serious checks to prevent this from happening.
Installing via MS Store or winget, the user is much less likely to end up installing some malware copy.
In my original post, I suggested a paragraph to:
a) Make it clearer what the checksums are. b) Show users how to check the checksum.
The current release notes still show without context or explanation, the "Installer Hashes." You have to already know what these are for, and then figure out which type of hash it is, and then find out how to check it with the tools provided by Windows.
There may be tutorials out there. You don't mention any. And never mind relying on users searching for a tutorial on how to check the hashes, if users don't know it's even a thing in the first place!
Checking via some external source is also a good idea, e.g.: You could link to the hash somewhere it can be checked:
https://www.virustotal.com/gui/file/ee3f76f056a0611f69a203ba6d2b36ff81014b1fa29d1f46ecdcc6d312724fc6
According to this documentation, Winget supposedly verifies the installer hash:
https://learn.microsoft.com/en-us/windows/package-manager/winget/
But it doesn't seem to display it.
It's possible to do:
C:\>winget show Microsoft.PowerToys
Found PowerToys (Preview) [Microsoft.PowerToys]
Version: 0.66.0
Publisher: Microsoft Corporation
Publisher Url: https://github.com/microsoft/PowerToys
Publisher Support Url: https://github.com/microsoft/PowerToys/issues
Author: Microsoft Corporation
Moniker: powertoys
Description: Microsoft PowerToys is a set of utilities for power users to tune and streamline their Windows experience for greater productivity. Inspired by the Windows 95 era PowerToys project, this reboot provides power users with ways to squeeze more efficiency out of the Windows 10 shell and customize it for individual workflows.
Homepage: https://github.com/microsoft/PowerToys
License: MIT
License Url: https://github.com/microsoft/PowerToys/blob/master/LICENSE
Privacy Url: https://privacy.microsoft.com/en-us/privacystatement
Copyright: Copyright (c) Microsoft Corporation. All rights reserved.
Copyright Url: https://github.com/microsoft/PowerToys/blob/main/LICENSE
Release Notes Url: https://github.com/microsoft/PowerToys/releases/tag/v0.66.0
Installer:
Type: burn
Download Url: https://github.com/microsoft/PowerToys/releases/download/v0.66.0/PowerToysSetup-0.66.0-x64.exe
SHA256: ee3f76f056a0611f69a203ba6d2b36ff81014b1fa29d1f46ecdcc6d312724fc6
Release Date: 2023-01-05
I don’t want to misrepresent winget but there are a lot of verifications there from submission to running an install command.
All our stuff is automated from creation of hash on the build server to submission to winget / store.
I do think this is a good idea but One thing we can’t do is over complicate release notes
Okay. I don't think it would be over complicating the release notes to add the paragraphs I suggested above, along with perhaps a link to another page with more detail explaining how to verify the downloaded .exe, and that users should exercise caution. (Or use winget/store installer.)
Downloading and running .exe files from the internet without any form of verification is just not a very safe thing to be doing anymore.
Some of the more recent cloned websites have been extremely convincing, and have tricked even experienced users. (Especially when the trojanned version of the installed program appears to function otherwise normally. It may not be discovered for weeks, by which time, who knows how much data has been stolen, accounts compromised etc.....)
@listerr I agree that we could add these paragraphs.
Bur there's one thing I don't get. When a malicious website would distribute an infected version of PowerToys like you described, this website can also provide wrong file hashes, right? When a website can fake for example the github release page they can just change the file hash too. How exactly does that bring more security?
Have a look at Thio Joe's video: https://www.youtube.com/watch?v=aNDw1QMV-lM
Provide a description of requested docs changes
The release notes states:
Suggested update:
Installer Hashes
Checking file hashes
File hashes can be checked using the built-in CertUtil command in either Windows
PowerShell
orcmd
terminal:sha256sums
To allow for some automated method to obtain and check the sha256sums if needed.