macOS packages and Windows MSIs are not signed

[skade]

This possibly applies to other platforms as well.

Currently, the Rust installer comes up with this nice warning, making the user navigate to a settings pane and acknowledge to really start the installer. Administrators can also decide to completely deactivate this.

I think at least the official installers of Rust should be signed using an Apple Developer Certificate.

[nagisa]

This possibly applies to other platforms as well.

All our releases and their checksums, including OS X ones, are signed with PGP signature already.

I’m not disagreeing they could also be signed using whatever method Apple for their OSes, but I'm not convinced $100/$300 is a fair price for getting rid of this dialog. OTOH we probably could piggy back on the same account used to generate signatures for Firefox.

[skade]

@nagisa If that is your issue, point me to a form where I can chip in 100$ yearly. Either we want to supply installers for their platform and then do it proper or we should just ship tarballs.

[skade]

I think the same is true for the windows installer.

(Code signing certs for windows cost > $300 upwards, FWIW)

[brson]

cc @edunham

Seems totally fixable in the infinite expanse of time.

[skade]

I would be willing to invest time on building the signing tooling, but obviously can't help with certificate handling.

[briansmith]

Note that on Windows 8 and later (or, at least, Windows 8.1), Windows Safescreen makes it look like it is impossible to run the installer, and so the installation experience is terrible all around. Especially with the new MSVC port reaching Stable, it would be great to have a Good OOBE on Windows, at least for the Stable releases.

[rtoal]

I have the same problem on Chrome...

[skade]

@rtoal Just in case: you can, in the meantime, go to "Systems Settings" -> "Security and Privacy" and click the appropriate button to still start the installation process.

[skade]

@brson this ticket needs A-windows as well, or should windows be split into a separate issue?

[rtoal]

@skade Thanks but I just used homebrew which also has 1.3.0. :)

[skade]

I'd like to bump this again, also, Servo has the same issue and cannot be easily run on OS X, as it is unsigned.

[Manishearth]

OTOH we probably could piggy back on the same account used to generate signatures for Firefox.

I doubt this would be accepted by the Firefox people. You want your private keys locked down, having two projects with independent infrastructure share a key sounds like a bad idea. I think both Rust and Servo can get their own. Not sure if it should be the same one.

[skade]

For reference, here's the issue for windows. https://github.com/rust-lang/rust/issues/25457

[brson]

Agree this is something we should solve soon.

[Mark-Simulacrum]

@brson I don't think this has been solved for either macOS or Windows. Could you give an update on this?

[steveklabnik]

Triage: not aware of any changes here.

[jasperweiss]

All our releases and their checksums, including OS X ones, are signed with PGP signature already.

Not as if anyone on Windows is going to install gpg4win just to check the signatures. This should be a higher priority IMO.

[skade]

I'd like to bump this again, this - along with rustup-init.exe not being signed - is a substantial speed bump when using Rust on Windows. Windows 10 even hides the "Run anyways" button and makes it hard to find and shows a "Windows has protected your computer" message.

Can we also please remove the P-low label here, it is becoming more and more of an issue, the less we have a "hackers audience".

[skade]

See https://github.com/rust-lang/rustup/issues/1568 for updates, concerning rustup.

[jendakol]

Hello, Avast guy speaking here :smiley:

It's shown up that we as an antivirus company have also kinda problem with not-detecting Rust compilers.

The problem is that we need to have files that are signed by known-certificate and the signature is included in the file itself. Using the method required by macOS and Windows would also be good for us. Without that, we have a problem with non-detecting Rust compilers again and again when a new version is published - it'd have to be uploaded to us "manually" after every release. That's a valid solution, however, unpreferred.
To cite one of our malware analysts: The only signature that Avast (and Windows) is able to understand is pkcs7 signature.

Thanks for the great work and for solving this issue!

[pietroalbini]

We discussed this inside the infra team meeting, and we're going to start the technical work needed to ensure Rust packages are signed for Windows and macOS! Me and @Mark-Simulacrum are going to have a chat to think about an implementation plan soon.

Note that while we'll start the development work, actually turning it on in production will require the foundation to be up and running (to actually buy the certificates).

[jrmoulton]

Is the progress on this issue being tracked anywhere?

[aidanhs]

@jrmoulton this issue is where progress will be tracked - if you haven't seen anything, it's because there (sadly) hasn't been any progress.

[asesh]

Any updates on this issue? This is really necessary from a security POV

[raphaelokon]

Just started with Rust and ran into this—and this is somewhat a contradiction to the overall safety aspect of Rust itself. This thread is 9 years old. Others like NodeJS got their signing in place for macOS and this is really helpful.

Until then please provide at least shasum of the tarballs rather than a GPG signing which most people have to install software for to check the integrity.

[paulsavoie]

Hi, just wanted to drop that here, as the price of the code signing certificate was mentioned. At the SignPath Foundation (disclaimer: I work for SignPath.io), we provide free code signing for OSS projects. The certificate is issued to our foundation but can only be used to sign builds from the open source repository (we verify that technically). It would just require you to add a signing build step in your GitHub Actions workflows.

[asesh]

Hi, just wanted to drop that here, as the price of the code signing certificate was mentioned. At the SignPath Foundation (disclaimer: I work for SignPath.io), we provide free code signing for OSS projects. The certificate is issued to our foundation but can only be used to sign builds from the open source repository (we verify that technically). It would just require you to add a signing build step in your GitHub Actions workflows.

Maybe Rust files can now be digitally signed? It's 2024 and code signature is really necessary for security reasons!!

[Manishearth]

Please refrain from bumping this issue with "I want this too" or "why hasn't this happened yet" or "any updated?" style comments.

This is the issue where this work is tracked. Any updates will be posted here. Whether or not this happens depends on the volunteers in the Rust project, especially the infra team, having time to prioritize and work on this.

Comments asking for things to speed up are not helpful and do not do anything to move the needle.