search

ultrahorizon / UH-VPN-Docs

Documentation, bug tracker and feature request system for UH VPN
https://docs.uh-vpn.com
8 stars 1 forks source link

FEATURE: Windows installer .msi file may have an invalid signature problem #32

Closed sunny75016 closed 4 years ago

sunny75016 commented 4 years ago

I am now testing the Windows client. As the standard precaution, I scanned the uh-vpn-installer_1.0.1.msi file on Virustotal and as expected all 61 scanners show that it is clean. The link below may work. https://www.virustotal.com/gui/file/1fe952ae389cdef4f430980c07c6ff29ca7ccd38cd80ef32e19717f2646aae44/detection

VirusTotal however shows the signature is invalid (image attached) vt-result

Probably for this reason, Windows Installation process also shows the "unknown publisher" warning. Although it does allow the installation to go through if you override.

The solution may be for UH VPN team to sign the msi package with a valid digital signature. This is not so urgent as others may not share my paranoia.

jwsi commented 4 years ago

Hi @sunny75016,

The windows installers already have digital signatures attached to the msi. The reason you see this warning is because we sign the file with our own signing certificate issued from our own CA instead of a cert issued from someone like DigiCert. SmartScreen scanner will eventually stop warning users about the "unknown publisher" as soon as the msi file gets enough downloads and installs.

You can indeed view the digital signatures attached to the msi file and verify yourself.

@AnthonyWharton designed this though so I'll let him confirm for certainty.

AnthonyWharton commented 4 years ago

Hi @sunny75016,

@jwsi is right, the installers are all signed but with our own signing certificate. As an organisation we do not own a EV Digital Code Signing certficate, so we will always potentially be subject to Windows SmartScreen, and decided that for these early days it did not bring us a good ROI. Cheaper certificates would have been an option but wouldn't have guarenteed safety from Windows SmartScreen, so we have decided to wait for the time being before purchasing an EV certficate.

Windows documentation is work in progress (however very similar to clients on other platforms!), however I made sure to include installation verification instructions from version 1.0.0: https://docs.uh-vpn.com/en/latest/clients/windows/installation.html

We will always post the latest hashes of our installers and they will always be installed by the same certificate - and if they ever differ it will be likely that we have bought an EV certificate and will update the documentation to reflect this accordingly.