[Question] Fundraiser for developper certificate

[deajan]

Hello,

Since the sbie driver needs to be digitally signed, how about you add a "call to fund raising" to buy a code signing certificate ? A sectigo 3 years valid certificate costs about 220$.

I pledge to fund a part of that price. Are others willing to ?

@DavidXanatos Would that help ?

[DavidXanatos]

Unfortunately, a simple code signing certificate is not enough for a driver. That is something you can use to sign your installer to make it look better.

One needs a Extended Validation (EV) Code Signing certificate, see here: https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate To be precise not just any EV Code Signing certificate, one from one of these 7 vendors that MSFT accepts. The cheap once (assuming no extra hidden costs) are around 400$/Year And if one is to go that route and through the hassle IMHO one should get one valid for 3 years right away.

Additionally I don't know if its a good idea/possible to set up the certificate on a person instead of a company, so possibly costs of some cheep offshore LLC have to be added.

[deajan]

Thanks for the link, never had dealt with driver signature so far, only usual code signing.

Indeed, a sectigo EV code signing cert for 3 years is about 900$, which is a bit pricier, but does the job. The good news is, you don't need to be a business to get validated, see https://support.sectigo.com/Com_KnowledgeDetailPageFaq?Id=kA01N000000brb0 So at least no overseas company creation is involved.

[Gravityzwell]

Beyond my expertise, and I expect a lot of work, but I know some of the big titles, e.g., Python, are nonprofits, which make grants and donations more likely. Apparently a big difference tax-wise donating to a nonprofit. It might be possible to get grants or donations anyway especially if you want it for something specific, which is true in this case.

[Gravityzwell]

I thought I remember something on the Sophos forums that said you could reuse the existing signed kernel driver binary if you keep the app at the same revision. If that could work, I'd be totally fine with that, just put your info somewhere like Help->About. Maybe not a long term answer, but then again if that part really doesn't change, it could be.

[DavidXanatos]

That part changes a lot especially with new windows revisions.

[Gravityzwell]

Anyway didn't I read that SandboxieDev was getting, or had already bought, an EV certificate? I guess for his repo? Are we talking here about another one for sandboxie-plus?

[leonardosegurat]

After a working release, you could definitley go with the donations route trough exposure. The same blogs and news outlets that once wrote about Sanboxie could be interested in making a new article for Sandboxie plus, talking about open source and community-driven development, and from there have an option for donations.

Previous Sandboxie clients (companies and stuff) could also sponsor this, which might in turn let them keep using it, as some of them might have software policies against unsigned drivers/programs. Some sort of paid support, assuming a large enough project and community, could potentially further fund it and keep it going.

[DavidXanatos]

Well first lets see if I will even need an own certificate, if SandboxieDev will be so kind to sign my releases, or booth projects will use the same driver i.e. he will include all my code changes, than no need doubling up on certificates.

[DavidXanatos]

Does anyone know what large companies were using sandboxie and would be willing to sponsor the project?

[Tsoccerguy3]

I like the idea of some generous trustworthy company signing the driver , bad idea using the credentials of a compromised certificate

[rugabunda]

From the research I have done code signing computers are recommended to be in highly secure environments, and offline with no access to the internet, for security reasons. https://duckduckgo.com/?q=code+signing+best+practices&t=ffab&ia=web

[rugabunda]

If you set up a patreon account or subscribe star account you could reach the monthly donations easily, it makes it easy for them and people will sign up in droves.

[DavidXanatos]

I already have a patreon account and I get 12€/month that's laughable.

[deajan]

@DavidXanatos Laughable ATM, since nobody knew about that Patreon account.

Btw, I had really fun with lots of AV false positives on software I am developping & distributing accross a couple of thousands computers with different AV engines, until I finally bought a code signing certificate.

IMHO, obfuscating the kernel driver won't help you get out of the "AV false alarm hell". Btw, when I finally signed my executables, I made some virustotal tests and realized I had to rename my files so "stupid" AV engines didn't associate the new signed files with earlier false positives.

I still would go in favor for a bigger onetime fund raiser for a valid certificate. I can't be the only one who wants this. I pledge to throw in 100$ myself in that case.

Oh, I also give an unsollicited adivce: may you could make the amount you receive on the patreon page public (seen directly on the patreon page), so people realize you don't get thousands of $$$ and realize they need to contrib too.

PS: Just joined your patreon account ;) Hope you'll do well.

[DavidXanatos]

I have adjusted the settings as recommended, currently its $28 per month.

I have put the patreon link into the toolbar of the new UI (SandMan.exe) and into the release descriptions with the hint that its needed for a cert.

Lets see if that helps :D

[JulyMorning]

Is it possible to upload files with unchanged version like the sandboxie site hints in the bottom of that page?

[DavidXanatos]

Is it possible to upload files with unchanged version like the sandboxie site hints in the bottom of that page?

No new features as well as security fixes require changes to the driver itself.

[JulyMorning]

good news. but if there will be a need in changes, do you plan to keep current version? thanks for maintaining btw.

[DavidXanatos]

I think you have miss understood me. I may have forgoten a coma for clarity, though .

No it is not possible to use the old driver. New features and security fixes I've added require a recompiled driver.

[GieltjE]

@DavidXanatos I am in posession of a EV code signing certificate for my business, would be willing to sign them in the time being.

[DavidXanatos]

That would be great! Thank you so much. Can I send you the driver files by eMail?

[GieltjE]

For the best effect we would need to sign every executable/dll with it, including the (un)installer, which would require me to build everything in order with some extra command to sign each step. Would it be possbile to start combining the zip within the executable as to get a single installer? (I have some experience from a long time ago with nsis installers, if that's OK I might be able to make some pull requests over the next couple of weeks.

[DavidXanatos]

Yea that would be best indeed! And I have it on my ToDo to create an installer for the SbiePlus builds, but I would like avoid having to have an installer of SbiePlus and than the same content as Zip for the portable users. So the installer would need an option to extract only. On a short look it did not seam nsis can do that easily.

I have a old re-purposed custom installer (a modded version of the TrueCrypt installer) I use for Task Explorer, that can do that but before I use it for more projects I would want to make it such that it can be scripted and execute custom post install steps like installing the driver and so on.

But if you know of a way to get nsis to do that this would be even better.

[GieltjE]

Inno Setup is prety versatile and can easily create such an option (files can either be attached to multiple options, or better add the portable flag and exclude everything except extraction). Would probably be some work but might give us some flexibility, and it also takes multiple signing tools so it could easily be switched between machines and EV code signing certificates lateron.

Add a simple command line script to build the libraries in release mode (msbuild adds the Strong Name signatures), call signtool.exe with the apropriate parameters and in the end call iscc.exe to make build the installer.

Is there a reason why Sandboxie/SandboxiePlus are splitted?

[DavidXanatos]

Is there a reason why Sandboxie/SandboxiePlus are splitted?

SandboxiePlus is very new so I wanted to provide also a familiar, classical, version to all the old users. Also the SandboxiePlus build is many 10 mb in size doe to the Qt Framework used for the new UI.

So for the time being, until the plus build matures a bit I would stick to having 2 releases.

[DavidXanatos]

I think since a lot of users have problems with the sys file it may be a good idea to update the current release only with a signed driver and than with no hurry look into the deployment of a filly signed release.

[GieltjE]

Let me know which so sign or send them via mail, then we can at least test that.

[DavidXanatos]

I have send you 2 driver files by mail for the 32 and 64 bit version, with them signed will uploada 0.2.3 release. thx :-)

[GieltjE]

You should have a reply, hope this helps a everyone for now.

[deajan]

@GieltjE @DavidXanatos I don't want to be the bad news guy here, but keep in mind that lending a certificate is a bad idea. If it happens that some AV engines may report SBIE someday for whatever reason, you'll have a hard time trying to rehab that certificate, since it was used outside of the moral person scope it was granted to. IMHO a dedicated certificate is still needed, especially for software that touches to the kernel security like this one.

[GieltjE]

@deajan had some issues with false positives before (virusscanners usually denote anything they don't understand as a virus or something), never had issues with it further then removing norton (and a few others) from the clients pc's.

Could still help though with the new installer and build scripts.

[Gravityzwell]

Thanks for the assist GieltjE!.

My 2cents: Change the wording to:

If you want SandboxiePlus to get a proper EV-Code Signing Certificate please support the project through donations. You can donate via paypal at https://xanasoft.com/ or patreon https://www.patreon.com/DavidXanatos

Bascially take out the "me's".

[DavidXanatos]

"me's" ? I don't understand.

[Gravityzwell]

If you want me to get a proper EV-Code Signing Certificate please support the project through donations you can donate via paypal on my homepage https://xanasoft.com/ or support me on patreon https://www.patreon.com/DavidXanatos

If you want SandboxiePlus to get a proper EV-Code Signing Certificate please support the project through donations. You can donate via paypal at https://xanasoft.com/ or patreon https://www.patreon.com/DavidXanatos

A matter of choice of course which I leave to you. I can tell you I have a lot of experience with such things, and I've seen such sentences get worked and reworked by managers and higher. The first stood out to me as too much like a guy asking for money, while the second makes it about the project, which speaks for itself. I mean the best for this effort and your efforts in particular.

[DavidXanatos]

ah I see, of cause! I have changed the test as recommended, thx.

[JulyMorning]

sorry for the newbie question: will this fork implement all the changes made to the main project?

[DavidXanatos]

Given the current developmental progress, your question should be the opposite: will the classical branch implement all the changes made by this branch. And I don't see why not all the changes are improvements.

[JulyMorning]

I fully understand that your version now is much more alive :) Asked just in case.

[tagatac]

@DavidXanatos, I appreciate all you're doing for Sandboxie.

Have you considered setting up a Kickstarter for the cert? I think the Kickstarter model (setting a goal at which you promise to deliver something) is a better match for this situation than a monthly subscription. Just set the goal to whatever you believe is fair (including your time obtaining the cert and using it), and then people can pledge in confidence that they won't be charged unless the goal is reached and they have your word that the next release will be signed with the cert.

[DavidXanatos]

Well Kickstarters are in my opinion for if you want 10's of 1000's of $$ the certificate shouldn't be that expensive, although it may end up being as it seams the CA's issue EV certs only to companies so I will need a shell company, or find someone with one that will be willing to help out.

But aside of the cost aspect, the cert is valid only for a limited amount of time max 3 years. So to keep having a certificate a monthly subscription is actually not that stupid as the costs are reoccurring.

[DavidXanatos]

we have one for now :D