Closed hj-collab closed 1 year ago
Hi, thanks for the report! Could you provide more info on how can we check that or which libraries are those? Thanks!
Hi @charlag,
Thanks for your prompt reply. You can reproduce it in the following way.
1) Download and install the Windows client of Tutanota. https://mail.tutanota.com/desktop/tutanota-desktop-win.exe 2) Navigate to the install location in Windows File Explorer. 3) Right click on the dll files, go to their properties and see if there is any Digital Signatures Tab. If not then it's unsigned. You can check the same on Tutanota Desktop.exe which is ofcoursed signed. A screenshot comparison below.
You need to sign these dll libraries with tutanota certificate. It will ensure that all code will execute fine when under WDAC/Applocker/Hardened Windows Environment. Such hardening in especially applied in corporate environments. I am not a corporate customer of Tutanota and use it on personal level but do harden my system to keep it as secure as possible.
@charlag If by any chance this is an electron app and using electron builder then you just need to use a parameter.
@ganthern Thanks for the prompt action on this! Shouldn't this be "signDlls": true instead of "signDlls": sign?
We're not signing our internal debug builds, all test and production releases will have sign
set to true.
@ganthern @charlag Sorry to bother you guys again. Electron Builder team is going to depreciate automatic signing off .node files and the signDLL paramater. It will be replaced by new signExts: [".node, .dll"]
Source: https://github.com/electron-userland/electron-builder/issues/7329#issuecomment-1648539509
@hj-collab thank you for letting us know!
3rd party libraries used in the Windows Desktop App is unsigned. Tutanota desktop client cannot be used in environments which make use of WDAC. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview
Please sign these unsigned libraries with Tutanota signature.