[🚀 Feature]: Digitally Sign Selenium-manager.exe by the publisher

[rsingh2023]

Feature and motivation

Hi , Some of our application developers are using selenium-manager.exe executable and due to security implications we have to allow this file in AppLocker exclusions. This was added as File Hash however for some reason every moth the file hash is changing where we have to readd the file hash, but this is wasting a lot of time until our IT team is able to pick it up and actions.

Due to inconsistent location of the file path we cant use that and also not an approach our security team wants to take so the only option which would be less painful and also more secure way of doing it is to add the Publisher in the Applocker exclusion however this cant be done as the selenium-manager.exe is not digitally signed by publisher.

Is there any reason why this file is not being signed yet or any plans of implementing this in the near future?

Usage example

This simply allow us to be able to exclude the file in AppLocker policy in more secure way.

[github-actions]

@rsingh2023, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[titusfortner]

It requires certificates and licenses we don't currently have, but we're looking into it.

The file hash changes with every release because it is different binary with new functionality on every release.

[Trigtrig]

I would also like to have the selenium manager digitally signed. The company I work for is also tightening security policies using AppLocker.

[vikramtechforall]

@titusfortner is there any workaround this issue while we wait for the fix to be deployed?

[diemol]

We are working on this. Right now, we are working with SFC (the foundation who owns Selenium) to get a tool to sign the binaries. So it is not all technical, there is some paperwork involved. We will post updates when we have them.

[HernJer]

any update on this?

[diemol]

SFC told us a week ago that they have a tool to sign, but they need to finalize some details.

[ericodland]

was this resolved with v4.18?

[diemol]

We are still waiting on SFC. @pono do you have any more updates?

[ericodland]

We are still waiting on SFC. @pono do you have any more updates?

@diemol any updates on this with v4.19?

[diemol]

@pono said they already have the hardware piece and it will be sent to someone in the project in the next days. Hopefully in 4.21 we can have it.

[mesutDalgic]

@diemol
Quarantine of malicious file (C:\Users\md.cache\selenium\manager\0.4.21\selenium-manager.exe) failed.
I am using Cisco Secure endpoint. I have had no problem until 4.21

[diemol]

We are still waiting for the device to sign the binary digitally.