Establish release workflow using GitHub Actions

mohit0121 commented 1 month ago

Preflight Checklist

[X] I have fully read the README and it did not solve the problem.
[X] I have searched all open and closed issues for the same bug report without success.

EverythingToolbar Version

1.3.4

Everything Version

1.3.4 x64

Windows Version

Win 11 Enterprise 22H2

Steps to reproduce

https://www.hybrid-analysis.com/sample/ed78aec2473700527c01cb0ab4950b33c0c3cee44f40372241b16d8b798b5e77?environmentId=140

Expected Behavior

file analysis link above

Actual Behavior

file analysis link above

Screenshots

No response

Log output

file analysis link above

Additional Information

No response

srwi commented 1 month ago

Hi @mohit0121, I reported it as a false positive. Thanks for pointing it out!

mohit0121 commented 4 weeks ago

@srwi Would you be kind enough to getting it digitally signed by a Trusted CA / Developer of this app please?

srwi commented 4 weeks ago

I'm not really looking to spend money on a code signing certificate, but I’m thinking about setting up a GitHub Actions release workflow instead. This could help show that the installer is safe by making the build process more transparent.

mohit0121 commented 3 weeks ago

EverythingToolbar-1.3.4.msi Sandbox Counter Adversary Operations _ Intelligence.pdf EverythingToolbar-1.3.4.msi Sandbox Counter Adversary Operations _ Static Analysis.pdf EverythingToolbar-1.3.4.msi Sandbox Counter Adversary Operations _ Dynamic Analysis.pdf EverythingToolbar-1.3.4.msi Sandbox Counter Adversary Operations _ Mitre Attack.pdf

1.Would you be kind enough to confirm, if these vulnerabilities are false positive and these can be safely ignored?

I would like to know more about GitHub Actions release workflow. How will this suffice requirements of digital signatures from Trusted CA?

srwi commented 2 weeks ago

Would you be kind enough to confirm, if these vulnerabilities are false positive and these can be safely ignored?

Yes, they can be ignored. There is no spyware in EverythingToolbar.

I would like to know more about GitHub Actions release workflow. How will this suffice requirements of digital signatures from Trusted CA?

EverythingToolbar is fully open-source and everybody can look at the code. Currently the release process consists of me manually creating the installer on my machine from that code. Technically at that time I could still inject some malware in there (which I don't). By automating the release workflow in GitHub Actions, the whole process would be made transparent and those who care can look at how the installer was created based on a snapshot of the code at that point in time.

This has nothing to do with digital signatures from a trusted CA. I don't have such a certificate and I am not planning to get one because I am not willing to spend money on one, which to my knowledge I would have to do.

srwi commented 1 week ago

I added a release workflow via Github Actions that creates the installer and the sha256 hash that can be used to verify that the msi has not been tampered with. I think for now this is all I can do. The next release will be performed using that workflow.

https://github.com/srwi/EverythingToolbar/blob/master/.github/workflows/release.yml

srwi / EverythingToolbar