search

root-project / root

The official repository for ROOT: analyzing, storing and visualizing big data, scientifically
https://root.cern
Other
2.64k stars 1.26k forks source link

Windows installers are not signed #15896

Open xia-stan opened 3 months ago

xia-stan commented 3 months ago

Check duplicate issues.

Description

Current Behavior

I have downloaded ROOT binary installer from https://root.cern/download/root_v6.32.02.win64.vc17.exe. When running the executable Windows prompts that the executable is untrusted. Checking the executable shows that it’s not signed.

image

Because the installer is untrusted, I'm not able to install the package on my system.

Expected Behavior

The installers are signed so that they do not cause installation errors on Windows based systems.

Reproducer

  1. Download the installer from https://root.cern/download/root_v6.32.02.win64.vc17.exe
  2. Run Windows Signtool to verify the installer's signature: 
    signtool verify /pa /v <filename>

ROOT version

6.32.00 and 6.30.00

Installation method

pre-built binary

Operating system

Windows

Additional context

First reported in Forum Thread: https://root-forum.cern.ch/t/windows-installers-are-not-signed/59558/3

bellenot commented 3 months ago

Working on it. Can you confirm that any of those is now properly signed? https://bellenot.web.cern.ch/bellenot/Public/root_v6.32.02.win32.vc17.debug.exe https://bellenot.web.cern.ch/bellenot/Public/root_v6.32.02.win32.vc17.exe https://bellenot.web.cern.ch/bellenot/Public/root_v6.32.02.win64.vc17.debug.exe https://bellenot.web.cern.ch/bellenot/Public/root_v6.32.02.win64.vc17.exe

xia-stan commented 2 months ago

@bellenot : The new executables are signed. image But they still present an issue. The certificate used to sign was not issued by a trusted root authority. image Code signing certificates must be provided by a Windows approved certificate authority. They have them listed here.

bellenot commented 2 months ago

OK, thanks for the feedback. The certificate used to sign the binaries is the official CERN one. I'll check with IT but I doubt they will purchase any Windows approved certificate... Isn't the CERN certificate good enough for you?

ferdymercury commented 2 months ago

Maybe this helps: https://ca.cern.ch/cafiles/certificates/windows.aspx?redir=0&ca=grid

bellenot commented 2 months ago

Nope, that's for the grid, not for code signing. See https://ca.cern.ch/ca/certificates/CodeSigning.aspx

xia-stan commented 2 months ago

@bellenot: It's not a question of whether or not it's good for me. It's a question of whether or not Windows approves it. Since cert can't be traced back to a trusted source. Windows will automatically flag it as potentially hazardous. Here's a screenshot of the window if I attempt to execute one of the executables:

image

bellenot commented 2 months ago

OK, fine, but that doesn't block the installation. I'll cross-check, but I'm afraid it will be the maximum we can do for the time being...

xia-stan commented 2 months ago

It actually does prevent us from installing on some systems since the cert cannot be trusted. We have no way to verify that the installers haven't been modified or corrupted.

bellenot commented 2 months ago

OK, I just asked our official channel. We'll see.

xia-stan commented 2 months ago

@bellenot : Any update from the official channel about obtaining a cert from a trusted authority?

bellenot commented 2 months ago

@bellenot : Any update from the official channel about obtaining a cert from a trusted authority?

No news yet