I was incredibly salty about this. I didn't name the CA, because they're actually nice to have reduced price for Open Source projects, but Microsoft really needs to drag the whole process into the 21st century.
The process and infrastructure reminds me very much of TLS before Let's Encrypt. If this is something that every developer needs to do for every exe, it can't be like getting an EV certificate for a Netscape Server. I thought Apple's often-buggy signing was bad, but at least they've tried to make it a one checkbox paid for in a straightforward transaction.
I would have signed with SHA-2, which for inexplicable reason is not the default despite deprecation, but my signtool crashed when I enabled it.
That CA took you for a ride. My open source Windows projects are signed, too. No smart card, no PIN when signing, no special software. I did have to provide some identity information and a photo, but identity verification is the service that CAs are expected to perform here. You would have had a better time with a different CA.
There have been recent changes in Microsoft's policy which now require a physical device to be used for signing. It's a giant pain. They alluded to cloud based services for signing, but other than Symantec's Enterprise offering (no listed price on their site), this doesn't really exist. I think MS needs to step up and provide a simple cloud based signing service. They should have waited to do this before forcing these changes.
That's not correct. Smart cards are required only by EV Code Signing certs. This is not it, this is regular code signing cert. And there is no reason to panic. While the author sees warnings now it's because the cert is fresh, it will gain reputation over time and be trustworthy.
Everything I've read hasn't differentiated. I can't seem to track down the official MS policy on my phone. Our certs are EV (need to sign drivers), so my experience is limited to EV certs.
My latest signing certs were issued around last August, and there didn't seem to be any extra rigmarole to get them (although I work for a large corporation; maybe that makes a difference?).
We've basically got a giant keystore server that handles the secret keys for all of the company's signing, then signing provider plugins installed on the build machines to communicate with the keystore, while allowing us to use standard tools like signtool.
Interesting, I just read up on that. Thanks for the info. My code signing certificate was issued before the cutoff, which appears to have been February 1, 2017. I guess I'm in for some fun when I need to renew.
Open source developer here. Also used to get Certum certificates with reduced price for open source developers, but their smartcard junk convinced me to use another provider. And they also raised their pricing policy.
I ended up with Comodo, which was "cheap". I then discovered that this was cheap for a reason: they did not provide the identity validation (something which was not clearly stated anywhere), and I had to pay for a notary certification (which was about twice as much as the certificate price), because apparently in the US an ID card is considered as reliable as your sport club membership card.
The whole Microsoft code certification is a shit show. It provides no security whatsoever, feeds an incredible number of incompetent parasites, and at the end is a real burden for open source developers like me, who want to get rid of the nasty Windows security messages, but also want to avoid being targeted by download sites bundling your binaries with some adware crap.
signtool badly needs to be updated. The interface is very confusing and the documentation, while fairly complete, isn't very helpful.
That said, I just upgraded ours and didn't have much trouble switching to sha256. There is one quirk about the order of the arguments due to some limitation with the timestamping servers. The documentation loudly points this out though. If it helps, here's my exact command line:
signtool.exe
sign /v
/n "Company, LLC"
/ph /d "Description"
/du "https://www.website.com"
/tr "http://timestamp.comodoca.com"
/td sha256 # /td must come after /tr
/fd sha256
executable.exe
Not being able to automate these EV hardware tokens because of the password is a pain that I'm already annoyed by though.
Pretty sure the new way is via PowerShell:
Set-AuthenticodeSignature -HashAlgorithm "sha256" -IncludeChain "all" -FilePath "File" -Certificate $Cert -TimestampServer $TSUrl
Can you confirm that the reason the password is forced is the PKCS12 (pfx) import has flagged the key as requiring a password every signature? (and it cannot be disabled).
I believe you can use mimikatz to forcibly strip the strong protection flag from the key. Microsoft says this is normally not possible, yet here we are. You might want to try downgrading the strong protection flag on the key material, it may allow for automated signing.
I've ran into similar frustration getting an exe certificate.
In one example, the provider needed to check I was a legitimate business, by seeing if I was in the phone book -- so I just registered online, called them back, they saw it and granted me the certificate, then I unregistered.
Which signtool did you use? (You may have more than one on your system. This has cost me more time than I would like to admit. I'd make sure you're using the one from the latest Win 10 SDK.)
I did find four! Yes, I've picked one at random. None of them was in my path, even after running vcvars*bat. Given Conway's law, I suspect signtool has a different project manager than the VS team.
I've copied that exact command from 3rd party documentation. Microsoft didn't even bother to give a SHA-2 example in theirs.
And maybe I'm spoiled, but could it not require four switches of a "don't do useless thing" kind? It's as if `copy` required /ones /zeros switches to be explicit you don't want it to omit these bits.
It's a safety issue though. Only experts should run `copy /ones /zeros`, because if you get too many ones on one side and zeros on the other it can throw off your hard disk's alignment and void your warranty.
Sorry to go off topic, but I'm wondering what's the goal of the tool as there are already ways of doing this. I've created a bat file that uses youtube-dl to download a video and convert it to gif using several tools and parameters (ffmpeg, imagemagick). I use it to make inline posts on hangouts since it's 2018 and I need a mobile device to post inline videos there for some reason.
Anyway, your tool seem to get good image size on videos with lots of colors, but horrible size on simpler images. Using the --fast switch as it took 6 minutes to convert 387 frames to save 10% on filesize. I'm comparing it to ffmpeg with a pallete as it seems to get similar image quality with a smaller size in most cases.
edit: After reading this after posting it, it looks as I'm super critical/aggressive. I'm just genuinely curious at what drove you to write the tool as there are already ways to achieve what you wanted. Didn't mean to antagonize you.
If you want headless automated builds, I recommend trying Sikuli on top of a VM. It doesn't require any toolkit/OS support to automate your applications.
It is disgustingly easy to set it up, it is software none of us deserve.
Oh man, Sikuli (and SikuliX http://sikulix.com/) is amazing. It's the kind of thing where I hate that it has to exist, but I'm so happy that it does exist.
They aren't sufficient to get rid of the slanderous message on their own - even with an EV. You need to have a bit of volume first. Makes interacting with your first few customers lots of fun.
I've had differing experiences. Note that if you've been distributing before you got the cert part of that rep will carry over as its also a function of the exe signature.
We actually switched certificates (from StartCom to Globalsign) and the signing was wrong at first, so the message kept showing. When we fixed it, it went away immediately, even though certificate and author name changed...
"Programs signed by an EV code signing certificate can immediately establish reputation
with SmartScreen reputation services even if no prior reputation exists for that
file or publisher."
Code signing certificates are a great idea if you're a company who gets to charge me hundreds of dollars per year to say that I am who I say I am. Code signing doesn't seem so great from my perspective, because I don't want to have to pay hundreds of dollars per year to a cartel engaging in a protection racket. Unsigned code warnings are nothing more than them saying, "Gosh, it sure would be a shame if we scared away potential users (wink wink)." If the certificates were based on inspection of the actual source code and building the installer inside a trusted environment, that would be one thing, but that isn't how they get assigned. Certificates are assigned based on whether or not I want to give the trust cartel a lot of money. Fuck that.
What's even more problematic is when you get into the shady stuff. I believe it's clear that there are things that people have to develop anonymously for their own safety. Examples include PC tools to reverse engineer stuff, console save file editors, etc.
However, precisely because those areas are so shady, it would help if there was a way to get code signing certificates of a lower pedigree but with pseudonymity. The shadier things get, the more likely there will be knockoffs with malware. The more likely there will be knockoffs with malware, the more likely some inexperienced user will accidentally get the (ill-signed) malware knockoff.
> Code signing certificates are a great idea if you're a company who gets to charge me hundreds of dollars per year to say that I am who I say I am. Code signing doesn't seem so great from my perspective, because I don't want to have to pay hundreds of dollars per year to a cartel engaging in a protection racket.
An interesting solution could be that Windows users could get the ability to add additional root certificates for application sign keys to Windows installations.
How much i hate this error message. "Windows protected your PC" - no, it didn't, it just assumed there would be something to protect from because it was unknown. It is pure scaremongering.
The average Windows user will never/should never run a program SmartScreen doesn't know about. Everyone else knows how to vet the app they're using themselves.
For your senior citizen browsing the web and clicking things, this dialog saves people. More often than you'd think.
The average Windows user just learned how to ignore this dialog and click through it. Especially gamers, downloading unsigned indies from stores like itch.io.
No, I get calls from people about Windows update wanting to restart and asking me if it's okay to let it. You don't know what an average user looks like.
as a malware developer who used to work for government ( not usa ofc )
we had our malware signed genuinly with digital certificate ( we bought using fake company )
so digitial certificate doesn't protect at all!
As someone who enjoys the idea of writing stupid programs for my own use, occasionally even doing dumb things to the kernel, the games I have to play to work with the Software I paid for is disheartening. Yes, yes, if I screw up a kernel mode driver while toying around with faking USB input, I could brick my computer forever, but since I've already found my way to the driver SDK, and decided to continue, isn't that proof enough of willingness to take the risk?
Paying thousands of dollars per year just so that users can run your free software is ludicrous. Code signing does nothing but teaching users to ignore security errors. Nothing is stopping bad actors from signing executables. Platforms are too lazy by putting the burden on the developer. Why not let users download the apps directly from the publisher/developer ? I guess that would make it harder for the platform to leech on the developers, and gate-keep their users.
> Paying thousands of dollars per year just so that users can run your free software is ludicrous.
While I agree that requiring code signing certificates to run free software sucks, I'm curious where the thousands of dollars a year comes from? I finally broke down and purchased a code signing certificate[0] last year. The prices varied, but I don't recall seeing any for more than $300, and I was able to get my for $100 which is valid through Windows 10 and works on everything else that uses one of these EV certs. In addition to that, I purchased a Yubikey, which I wanted anyway (and having a desire to protect my code-signing key was the excuse I was looking for to purchase one of those), bringing the total cost for the first year to $140 (and subsequent years at $100). There is certainly a time cost, and it's really fun explaining that "no, I do not have a land-line phone" and "no, I don't get bills from my mobile phone company, but I can print out what qualifies as a bill from my Project Fi page[1]" all while trying to understand the accent of the non-native-English speaker I was working with.
[0] Not purely for signing open-source software, but I use it 99% of the time for signing Open Source software ... and miserable PowerShell scripts so that I don't have to remember to override the default security policy.
[1] The number of eye-rolls around the security theater involved in all of this was comical. They asked for photocopies of 6 or 7 different documents, all of which would have been trivial to forge with any information I wanted if I were so inclined. The only real verification around these documents is the notary requirement -- which, at least where I live, notaries are punished harshly if they don't follow the rules.
It took a legitimate actor six months as he underwent EV certification. Even if the primary goal didn't get met, there's still the secondary goal of having problematic publishers officially blocked by cert revocation.
Also, users DO get the app from the publisher in this case. Windows provides SmartScreen, the developer provided the binary and signature (and was on his own as to how to get it)
It took me about 3 months, but if I'm being honest -- once I got off my rump and actually gathered all of the nonsense together to get my application processed, the whole thing took about a week.
The trickiest part was explaining to the 60-year-old bank teller why I needed all of these documents notarized and what they were for. I guess that's the one protection against forgery in this case -- notaries breaking the rules are dealt with pretty harshly where I live. They called me several times and her twice, but once that was done, I got an e-mail and everything was taken care of.
The security theater is just to shift liability. They don't care if the documents are fake, they just want the fraud to be plausibly your fault instead of theirs.
> Install and configure weirdo bespoke software for the smart card. It opens an SSH-server-hanging popup asking for a PIN, so I can't have headless automatic builds.
To be honest, Microsoft's C compiler was the reason I didn't support Windows before (for MSVC the 1999 C standard is still too new). I've only started making Windows executables after switching to Rust.
Uh, for the same reasons they would do so on any other platform?
That said, yes, this guy is doing it wrong. He should be using SHA-256, not SHA-1, and he should be using an EV cert (which takes more like 60 minutes to obtain than 6 months.)
Why would open source developers not want to target the desktop OS with the largest install base in the world? Not everyone in the OSS world is Richard Stallman, most just want to build and release software for people to actually use.
(I say that as a full time Linux user, developer, and OSS advocate, btw).
One nice thing about an open source application is that if you don't use (or simply don't like) the OS it runs on, you can port it to your OS of choice or hire someone to do it for you.
Stallman himself would have no problem with that, if he's logically consistent.
I've recently paid for a code signing cert from Comodo, and I'm still stuck in the process.
In order to verify your company phone number, it has be shown in any of the links like : (www.dnb.com) or (www.hoovers.com) including local/national registration agencies and reputable third party databases.. So please update the Company name,address and Phone number in any one of the above web site.
My company is registered in Norway, and having the company's email and domain listed in the national company registry does not help. I'm currently in SE Asia, and I have to go back to to this:
[...] you can send an attestation letter signed by your attorney, Certified Public Accountant or Latin Notary (where legally recognized) verifying the telephone number. You can download sample text for the letter [...]
We need Let's Encrypt for code signing. But how can we automate identity validation? Verify the e-mail address or phone number with a national registry, where possible?
I switched away from Comodo because of the Dun And Bradstreet requirement, and I didn't really want to support Comodo anyway after some of the shady stuff they've done.
GlobalSign were able to help me, they were a bit more expensive but vastly better support than Comodo. Super friendly phone & email support. I did need to get a Yellow Pages listing for my business for them to verify me, but Yellow Pages offer a free online listing tier in Australia. You might be able to ask for a discount if their prices are a bit too high for you & you're switching from Comodo.
If you must have a Comodo cert, you could try buying through K Software (http://codesigning.ksoftware.net/). Mitchell Vincent is great to deal with, and I used his services for years. He could probably have helped me deal with Comodo verification, but I was just too exasperated by Comodo's support drones.
I've tried obtaining a cert from K Software before and they have the same Dun And Bradstreet requirement which was impossible to get right so I just abandoned them.
I tried Comodo too, but they wanted to have a legal person to sign some document (proof of existence?). Eventually, DigiCert was pretty fast in giving out a cert. Two legal documents scanned in, a copy of a passport/id and a face to face (skype) was about enough to validate that I really exist.
There is one CA (forgot the name) that provides EV certs (for websites not code signing) that looks up data in national registries, they have a lot of stuff automated so it's quick and relatively cheap. So in theory it's possible for code signing. But Let's Encrypt repeatedly refuse working on code signing certs (it's not that cheap to operate as website DV).
Is this some new Windows thing? Because the last time I booted Windows and downloaded some pre-built open source Windows program and ran it I got no such warning.
As some some anti-virus tools.
Norton AV used to "clean up" my build folders of exes because it was classifying the newly built exe as viruses because they were not on a whitelist.
I used to develop a java app during an internship on a computer I was not even supposed to be admin on. McAfee AV crapware was randomly deciding that my app .jar was in need of being removed and there was nothing I could do without going against company policy except rebuild and hope this time it would go well.
An EV sig on .exe automatically whitelists any it with SmartScreen. It still shows a message, but a far less scary one.
Edit - hmm, it sounds like the dev got an EV cert though, because regular ones don’t require storing keys on a token. So I’m not sure what’s going on here...
I think a proper EV should not show any warning at all. The issue here is using SHA1 instead of SHA256, not sure why op would do this. SHA1 signing was deprecated..
It does feel like that. We don't actually issue a signed copy now and we have had precisely one complaint and that was from an enterprise customer. We suggested they downloaded it themselves and gave them the sha256sum of the MSI and they were happy with that.
One reason is that if signing via the Mono Framework, the only signing method it offers is SHA-1. I had to eventually sign with `osslsigncode` to get this right. I was trying to cross-compile a Windows app on Linux, which is why the Mono solution appeared to make sense.
I haven't used Windows in 10 years, so I don't understand: What is the point of signing this binary at all? If users want to run software they know is legitimate because they can review the source on GitHub and download via HTTPS from the GitHub page, why do they have this "Windows protection" feature enabled? Wouldn't a better solution be for the project maintainer to tell the user to disable it since they're in a position of trust which is at the same level as distributing a valid binary?
It's enabled by default and AFAIK maybe even impossible to disable.
Every time I have to dabble in the world of Windows these days it really depresses me. Windows 10 is really a great OS underneath but every new update seems to add more layers of crap.
This alert is so annoying and stupid it hurts. I had it too when running one of my own program. I guess this is part of MS strategy: FUDing traditional applications in a desperate attempt to get people to use their store. Except the store won't become attractive anytime soon by alienating developers.
I maintain a desktop application (with MSI installer) for a niche industry with a few hundred users and for the first few weeks they had the scary red warning, but after then they started seeing the blue, non-scary pop-up, even for new binaries provided they're signed with the same certificate. We have a Comodo code-signing cert (non-EV though) which costs ~$70/yr through Tucows (remember them?).
I was incredibly salty about this. I didn't name the CA, because they're actually nice to have reduced price for Open Source projects, but Microsoft really needs to drag the whole process into the 21st century.
The process and infrastructure reminds me very much of TLS before Let's Encrypt. If this is something that every developer needs to do for every exe, it can't be like getting an EV certificate for a Netscape Server. I thought Apple's often-buggy signing was bad, but at least they've tried to make it a one checkbox paid for in a straightforward transaction.
I would have signed with SHA-2, which for inexplicable reason is not the default despite deprecation, but my signtool crashed when I enabled it.