search

tutao / tutanota

Tuta is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.
https://tuta.com
GNU General Public License v3.0
6.06k stars 524 forks source link

Sign all unsigned dll files within the Windows desktop app #4830

Closed hj-collab closed 1 year ago

hj-collab commented 1 year ago

3rd party libraries used in the Windows Desktop App is unsigned. Tutanota desktop client cannot be used in environments which make use of WDAC. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview

Please sign these unsigned libraries with Tutanota signature.

charlag commented 1 year ago

Hi, thanks for the report! Could you provide more info on how can we check that or which libraries are those? Thanks!

hj-collab commented 1 year ago

Hi @charlag,

Thanks for your prompt reply. You can reproduce it in the following way.

1) Download and install the Windows client of Tutanota. https://mail.tutanota.com/desktop/tutanota-desktop-win.exe 2) Navigate to the install location in Windows File Explorer. 3) Right click on the dll files, go to their properties and see if there is any Digital Signatures Tab. If not then it's unsigned. You can check the same on Tutanota Desktop.exe which is ofcoursed signed. A screenshot comparison below.

image

image

You need to sign these dll libraries with tutanota certificate. It will ensure that all code will execute fine when under WDAC/Applocker/Hardened Windows Environment. Such hardening in especially applied in corporate environments. I am not a corporate customer of Tutanota and use it on personal level but do harden my system to keep it as secure as possible.

hj-collab commented 1 year ago

@charlag If by any chance this is an electron app and using electron builder then you just need to use a parameter.

https://www.electron.build/configuration/win

index

ganthern commented 1 year ago

Test Notes

hj-collab commented 1 year ago

@ganthern Thanks for the prompt action on this! Shouldn't this be "signDlls": true instead of "signDlls": sign?

ganthern commented 1 year ago

We're not signing our internal debug builds, all test and production releases will have sign set to true.

hj-collab commented 1 year ago

@ganthern @charlag Sorry to bother you guys again. Electron Builder team is going to depreciate automatic signing off .node files and the signDLL paramater. It will be replaced by new signExts: [".node, .dll"]

Source: https://github.com/electron-userland/electron-builder/issues/7329#issuecomment-1648539509

charlag commented 1 year ago

@hj-collab thank you for letting us know!