Closed GHM3434 closed 2 months ago
scottnonnenberg-signal
commented
3 months ago @GHM3434 Hi there! I just installed Signal Desktop 7.3.0 on a Windows VM and verified that all of the .node files under C:\Users\Scott\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_modules have a digital signature.
You mention that you believe that they are unsigned? How did you verify that? Maybe it's something else that WDAC is complaining about?
GHM3434
commented
3 months ago @GHM3434 Hi there! I just installed Signal Desktop 7.3.0 on a Windows VM and verified that all of the .node files under
C:\Users\Scott\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_moduleshave a digital signature.You mention that you believe that they are unsigned? How did you verify that? Maybe it's something else that WDAC is complaining about?
Thank you for getting back to me.
It's been a while since I originally posted this issue (I posted a long time ago but github shadowbanned me and I didn't know so I deleted and reposted after Github support fixed my account). Let me test again and I will get back to you. Maybe this issue is fixed already.
Thank you
GHM3434
commented
2 months ago Hi,
It looks like the files are indeed signed now! Sorry for wasting your time. I will close the ticket now. I tested installing and running the latest version with no issues. Then, I went back and tried to install and run a version from a few months ago and it complained about those files in OP. I also checked 1 or 2 files after installing new version and they are indeed signed.
Thanks again!
Using a supported version?
Overall summary
Windows Defender Application Control (WDAC) is a security feature that you can enable (not enabled by default) to increase security on computer(s). Unfortunately it complains about and blocks ALL .node files located at:
C:\Users\USERNAME\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_modules
More specifically these exact folders and files:
C:\Users\USERNAME\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_modules@nodert-win10-rs4\windows.data.xml.dom\build\Release\binding.node
C:\Users\USERNAME\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_modules@nodert-win10-rs4\windows.ui.notifications\build\Release\binding.node
C:\Users\USERNAME\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_modules@signalapp\better-sqlite3\build\Release\better_sqlite3.node
C:\Users\USERNAME\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_modules@signalapp\libsignal-client\prebuilds\win32-x64\node.napi.node
C:\Users\USERNAME\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_modules@signalapp\ringrtc\build\win32\libringrtc-x64.node
C:\Users\USERNAME\AppData\Local\Programs\signal-desktop\resources\app.asar.unpacked\node_modules@signalapp\windows-dummy-keystroke\build\Release\NativeExtension.node
I believe these are all the files WDAC complains about.
Normally, you can make a signed by publisher rule in WDAC which, if these files were signed by Signal would allow them to run. (However they are not signed, so WDAC blocks these .node files)
Alternatively, you could normally make a file path rule for these files but because appdata is a "user-writeable" area, WDAC will ignore any file path rules.
Then, the only option is, you can re-edit the policy you created in WDAC and check an option called "Disable Runetime Filepath Rules" but is insecure because an attacker could rename any of their files to the same name as one of the file path rules files or if someone created a rule with "*" , any file would run in the path defined in the WDAC rule.
Steps to reproduce
Expected result
Signal app runs like normal
Actual result
Screenshots
No response
Signal version
7.3.0
Operating system
Windows 11
Version of Signal on your phone
No response
Link to debug log
No response