search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.69k stars 1.52k forks source link

Sign the .tmp file that gets dropped when installing or updating Sandboxie Plus #2643

Open bastik-1001 opened 1 year ago

bastik-1001 commented 1 year ago

Is your feature request related to a problem or use case?

The installer itself is signed, but when the installer is executed it drops a .tmp file that gets executed to install Sandboxie Plus.

The installer drops a file C:\Users\[username\AppData\Local\Temp\[string].tmp\Sandboxie-Plus-[architecture]-[version].tmp that gets run to install the program, but that binary is not signed by any signature.

Describe the solution you'd like

That the .tmp is signed with some valid certificate.

Since the file gets executed as a binary file, and the installer is signed, the chain should be complete and some security software could "respect" the installation process as being more legitimate (even though that is not entirely justified).

Describe alternatives you've considered

No response

DavidXanatos commented 1 year ago

Well... this behavior is how innosetup does it, I can look if there is a newer innosetup version which may behave better. Or some innosetup expert may chime in and tell us how to improve on this behavior.

bastik-1001 commented 1 year ago

Well, if that is somewhat complicated, I don't think it should be something to waste resources to.

If someone knows how to improve that easily, then it would be nice to see that changed. Until then, there is no problem with that issues staying open as a reminder that this could be improved.

isaak654 commented 6 months ago

I have just found an article that should help with this issue: https://blog.osarmor.com/340/innosetup-sign-installer-uninstaller/

If you use Inno Setup to create the installer of your software you can follow these steps to digitally sign the installer, uninstaller (e.g unins000.exe) and also the .tmp file executed by the installer and uninstaller during the installation or uninstallation

This is related to the topic Avast alert, suspicious TMP file in Release v1.13.4, so it is in your interest to sign the .tmp file.

offhub commented 6 months ago

https://jrsoftware.org/ishelp/index.php?topic=setup_signtool

bastik-1001 commented 1 month ago

Are there any issues with the way the signing process would be altered or is there another reason why this is not done?