taers232c
commented
2 years ago William,
Does AppLocker recommend how to get an app digitally signed?
Ross
Closed Dazpoet closed 2 years ago
taers232c
commented
2 years ago William,
Does AppLocker recommend how to get an app digitally signed?
Ross
Dazpoet
commented
2 years ago Microsoft, who are the ones behind AppLocker, have some information about codesigning. From what I gather, and I could be very wrong, the non-trivial part is acquiring a certificate for signing code to begin with. These seem to come at a steep cost (one to a few hundred USD/year) and once you have one signing for Windows is "just" a matter of using Signtool.exe or something that implements enough of it to sign on other OS like jsign or osslsigncode.
When looking around I found an old video which shows how to use powershells, windows exclusive, Set-AuthenticodeSignature cmdlet to sign an exe. I also tripped over a companies short guide to code signing on different OS which I thought was easy to follow.
Now I can understand not wanting to pay hundreds of USD for distributing something for free so I looked around and found that a free solution is on the horizon with sigstore and their fulcio solution. However the problem I wanted solved was signed exes for Windows and Fulcio doesn't solve that according to issue#250 on their github.
So it would appear that in the end all I've managed to find points towards how a free solution to this issue would demand a resolution of Fulcio#250, which also seems non-trivial.
As such it would appear I've wasted your time with this issue but somehow ended up forcing myself to read up on how certificates work.
jay-eleven
commented
2 years ago @Dazpoet, I'm speculating here, bear with me. Your IT guys might be able to self issue the required cert for free: https://codesigningstore.com/how-to-generate-self-signed-code-signing-certificate
This would be useful to sign gam or other pieces of software that have not been digitally signed by their publishers.
Dazpoet
commented
2 years ago @jay-eleven we actually do this for certain in-house tools iirc. However wouldn't that require IT to download each version of gam, sign it and then deploy it through SCCM/Intune/GPO aswell as pushing the self signed certificates needed trusts?
The, very, few of us that use GAM normally "install" it ourselves via the .zip file since that works without administrative rights.
However I did see some answers in the mailing list about how people checked for latest version of GAM and if it wasn't up to date downloaded a newer version. I wonder if that could be adapted to to download, self sign and then push to the company portal (which we use) somehow. I'll have to ask IT about that though :)
jay-eleven
commented
2 years ago They would need to download the new version and sign it with any certificate they already use to sign other in-house tools. Since the certificate is the same, you already have it in your machine's cert store.
I doubt your IT guys will give you the private key so that you can sign apps, but hey, asking never hurts! What most probably will happen is that they'll insist in signing the software themselves. And that's exactly the problem: Ross is so prolific that they might need to download and sign gam several times a week!! And they'll quickly grow tired unless they automate it... :-)
In order to determine if a new gam version has been released, you need the to use gam version checkrc [Source: Wiki]
gam version checkrc
GAM 5.35.08 - https://github.com/taers232c/GAMADV-XTD3
Ross Scroggs <ross.scroggs@gmail.com>
Python 3.8.1 64-bit final
google-api-python-client 1.7.11
httplib2 0.16.0
oauth2client 4.1.3
MacOS High Sierra 10.13.6 x86_64
Path: /Users/Admin/bin/gamadv-xtd3
Version Check:
Current: 5.35.08
Latest: 6.18.01
echo $?
1
I tried searching here and in the mailing list but got no hits so hopefully this isn't a repeat of an earlier issue.
As it says in the title. My employeer recently started using AppLocker and since then I need to hand IT the .exe file to get a filehash allowed each time I update.
If the software was digitally signed we could blanket-allow it.
I don't know how hard this is to implement nor if anybody else has this issue but if more people start using AppLocker I guess it could be a thing worth looking into.