New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove installation/security warnings by using an Extended Validation Code Signing Certificate (MacOS: done, Windows: todo) #15
Comments
Status of the Apple certificate progressThe objective is to enroll in the Apple Developer Program as an organization. For this I need:
Once DAISY is finally enrolled in the ADP as an organization, I will be able to add our Apple ID to it, and to get a certificate. I'll update this comment as the process moves forward! |
Thanks Romain! :) |
Status of the Windows certificate progressOn Windows, according to the
We'd need to buy a cert from the following authorities, which are trusted by Windows: Symantec, Certum, Entrust, GlobalSign, Comodo, DigiCert. The cost seem to be around 300/400 USD per year. Certum provides an Open Source Code Signing Certificate which is much cheaper (~30 USD). But I'm not sure it fits our needs. One of the difference with the standard certificate is that the open source one is not "cross-certified by Microsoft". Looking deeper, it seems it doesn't support Microsoft's Authenticode technology. I don't know if it's an issue for us… Also, the Certum certificates seem to rely on a physical USB token and cryptographic smart card. So it's not ideal in our distributed environment. They do propose cloud-based certificates (a bit more expensive). For now, I'm asking around if DAISY has any existing certificate plan or services that we could use for Ace. I'll update this comment as the process moves forward! |
For Windows, a USB device is required to transport and authorize the cryptographic information related to the certificate (secure hardware token). The shipping delay may therefore be consequential. Further, using Windows virtual machines in order to build and test the Ace app (which is my current setup / workflow) might be problematic when using a USB crypto key. Regarding costs, the base price at Certum goes from 25 EUR to 69 EUR due to the need for the hardware device, but this is still reasonably cheap (note that the certificate would only be valid for a year). However, note that a proper EV certificate costs 359 EUR per year at Certum (or a bit less when buying 3 years upfront). Such EV cert would be needed to cover "Deleting the Microsoft SmartScreen Filter® system message" (trust based on instant reputation), otherwise the non-EV certificate (for open-source software) only "Eliminates system messages like: "Unknown publisher" and "Unsafe software" (trust builds up over time ... I'm not sure how that works in practice). https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-1001.html https://www.certum.eu/en/cert_offer_cert_comparision_cs/ Note that with Certum, the Open Source option does not provide the option "Certificate cross-certified by Microsoft". This, I think, is okay, because we do not need to sign low-level kernel software. See: |
Both the GlobalSign certificate types appear to offer Azure Key Vault storage options, which presumably would be much faster and would provide the central storage solution we need. |
Romain, also note that the Ace app will need to pass Gatekeeper on recent versions of MacOS, so there are additional notarization steps in addition to code signing: |
Dave, good point about the Azure Key Vault. However because of 2FA (Two Factor Authentication) I wonder if a mere developer like myself will be able to access the crypto key / code signing certificate "owned" by the DAISY account. |
I've not used it before, but I would anticipate access being made available through the O365 credentials - but if it requires more I'm sure we can resolve that. |
Another aspect to be aware of: timestamping. We might want to make sure that code signing certificates remain valid after the duration for which they were purchased (1 to 3 years). This way, in the future, even if the Ace app has not been updated for a while (and the cert would normally have expired), users will continue to be able to install the app and use it. |
Also note that Lets Encrypt unfortunately cannot issue Code Signing Certificates (OV or EV) due to prioritizing automation in order to be cost effective (i.e. no human verification of identity / trust). |
Certum actually provides a cloud-based crypto service which removes the need for the USB secure token. The SimplySign app must be used to operate the system: |
I have contacted Certum. In the meantime, here are some useful reads: |
The EV certificates cost a little more, but removing the MS smart screen warning is probably worth it when we can then apply the certificate across all DAISY tools. Note the open source certificate linked above is NOT Microsoft certified - so won't achieve the intended objective. |
The EV Code Signing Certificate is definitely the best option in that regard: instant trust assertion, removal of all warning messages on Windows (SmartScreen when downloading, as well as UserAccountControl when installing). Caveat: this requires a hardware token (i.e. secure USB key provisioning of the crypto package) in order to offer further guarantee that the private information used to sign products cannot be used by unauthorized entities. Consequently, the certificate cannot be exported and used in Continuous Integration scenarios, or in automated build workflows locally on via virtual machines. Certum's product line now provides a cloud authentication service (and a local app named SimplySign) which is meant to be an alternative to the physical hardware device for the purpose of establishing identity. However, I am pretty sure that the same build workflow limitations apply, due to the provisioning method requiring human intervention (I have asked them for clarifications, waiting for reply). If I understand correctly, the OV Code Signing Certificate (e.g. Certum's "standard" product) removes the UAC "unidentified publisher" warning, but the SmartScreen will continue to be triggered initially, due to trust needing to build-up over a period of time. This is compliant with Microsoft Authenticode for both user-level and kernel-level code. USB hardware token remains obligatory, or in the case of Certum there is the aforementioned cloud-based alternative. The Certum's "Open Source" Code Signing Certificate seems to be a lightweight version of the "standard" OV Code Signing Certificate, in the sense that it is bound to an individual instead of an organisation, thereby requiring fewer checks to prove identity during the registration phase. I have asked Certum whether or not the user experience is the same as with their "standard" product (with respect to the the SmartScreen and UAC warning messages). There is some ambiguity with regards to the compliance with Microsoft Authenticode too. |
A hardware token seems to be required by most providers, with the exception of GlobalSign who support the Azure Key Vault. |
If I understand correctly, the decision-making is about:
And then each point can be broken down in smaller decisions:
It seems to me we're moving towards getting an EV certificate. But there are still a few decisions to make and offers to compare. Thoughts? |
Some clarifications / confirmations received: Most Code Signing Certificate retailers or Certification Authorities (including Certum) will not provide direct access to This is fine, as far as we are concerned. The DAISY Ace GUI app installers are created using the ElectronBuilder set of utilities, which connects to the key provisioning subsystem via an explicitly-specified |
I have received confirmation that the only difference between Certum's "Open Source" Code Signing Certificate and the "standard" product (besides the kernel-level software option afforded by the "certificate cross-certified by Microsoft" feature) is that the former includes "Open Source Developer" in the CN, but they otherwise have the same capabilities / limitations (i.e. basic Microsoft Authenticode, building reputation over time in order to gain SmartScreen trust). |
Also, the certificates issued by Certum are time-stampable, using Certum's own http://time.certum.pl or any other, e.g. http://timestamp.digicert.com |
So, it looks like the two top options are EV Code Signing Certificates from:
|
Apparently Sectigo (formerly Comodo CA) also offers a cloud option (PDF link) (called "Cloud Service Module" or "Code Signing on Demand"). The cost is 399 USD for 1 year, 897 USD for 3 years. |
Note that support for Azure Key Vault entails additional costs: https://azure.microsoft.com/en-gb/pricing/details/key-vault/ ...so although GlobalSign appears to be slightly cheaper (assuming the taxes are at about the same level as Certum), there would be a financial overhead with the Azure account and the Key Vault transactions. Further, I am wondering about the potential difficulties in setting up Azure Key Vault on developers' environments, especially Virtual Machines). |
Many times the software, especially the large software are distributed offline, and are also installed on computers without internet connection. Will this solution work for them.
|
Yes. The cloud solution is to sign the code (on the developers side), not to verify the signature (on the users side). |
that might be included in the Azure package we already have. We can describe a shortlist of solutions which we're confident would work for us, and then inform @DaveGunn and the management so that we can pick the best option wrt cost and infrastructure. |
Thank you Romain for the Sectigo PDF. The step-by-step instructions reveal what I feared: in order to sign our Electron app, we would have to introduce a manual step consisting in uploading the resource to sign, or alternatively the resource hash (in which case we would then have to integrate the signature digest back into the resource ourselves). In other words, we would not be able to rely on ElectronBuilder's built-in support for signing (i.e. in-line, as part of the installer creation process). |
it seems they have an API, so it should be possible to ultimately integrate that in a custom build, if not in electron-builder itself… |
Just to confirm any Azure Key Vault costs would be covered by our existing Azure infrastructure account. |
Good to know Dave, thanks. |
Romain, good to hear about the possibility of using an API to securely communicate with the GlobalSign Code Signing service. |
Another thing to note about obtaining an EV Code Signing Certificate: the DAISY organisational identity, as well as that of the person registering, will need to be asserted by the Certificate Authority in order to establish trust. We will therefore be required by the accredited retailer to provide documents that prove identity, which usually involves a Notary. I am not totally sure about GlobalSign, but I imagine they do business in the USA, where DAISY has representatives. I think (based on the PDF linked by Romain) that the expectation is to have somebody from the management team registering and acting as the primary contact point + platform administrator. Then, developers like myself can obtain credentials to authenticate into the secure cloud signing solution. Certum is based in Poland. Although they accept digital scans for their lower-tier products, I imagine the prerequisites for issuing EV certs are more stringent. I have asked about their SimplySign cloud solution, so I have a better idea of the key-provisioning + resource-signing workflow (and whether it is compatible with ElectronBuilder). |
Just a clarification: the PDF was from Sectigo (formerly Comodo), not GlobalSign. I don't know if GlobalSign also have an API, they probably do but this would need to be verified. |
Ah yes thank you Romain (typo on my part). |
As mentioned before, the process of applying for an EV Code Signing Certificate requires providing proof of identity, either via a Notary, or remotely by sending appropriate documentation, like Romain did to setup an Apple Developer Program for an organization (not an individual), DUNS number, etc. Here are the instructions provided by Certum: |
I now have confirmation that Certum's SimplySign cloud+app -based virtual hardware token system integrates well with the This is good news, it will integrate well with ElectronBuilder's default signing process on Windows, and can even be integrated as a custom step if we face issues with the default implementation. Basically, the virtual hardware token seems to behave just like a physical USB device. I imagine that Sectigo's ad-hoc suite of tools (Code Signing on Demand (CSoD) + CCM Comodo Certificate Manager) operates in a very similar way, and that GlobalSign's Azure Key Vault provides a similar integration path. |
Another technical thing to note about Certum's SimplySign: the I had another look at Sectigo's PDF (Code Signing on Demand (CSoD) + CCM Comodo Certificate Manager), and I don't see an integration path with |
The MacOS app / DMG code-signed with the DAISY certificate works when launched locally without any warning messages, but the app indeed fails to launch when downloaded from an external source (GateKeeper blocks it due to not being notarized):
|
Positive progress:
The Gatekeeper message is now:
(with the "open" button, so no need to right-click + open menu) |
=>
|
I tested the app with the default notarization entitlement |
Awesome! Thanks for the hard work Dan 👍🎉 |
Related issue: #10 |
I have a call with a Microsoft MVP on Thursday, who is helping out with code review and advice for the WordToEPUB proof of concept. I will be asking about code signing to remove the scary messages for the not so technical users of this tool. I've read this thread in preparation, and will report back. It may be that some learnings can be useful for ace-gui. |
A 3 year EV Code Signing Certificate has been ordered through GlobalSign Ltd. Verification will probably take a couple of weeks after which it will be available for use through the Azure Key Vault. |
This is wonderful news! Thank you for taking care of this. |
The security around hosting a central EV certificate means it probably won't be a simple add-on process. We may need a VM build platform with access to the Vault - so obtaining the certificate is only step one in establishing a certification process. |
Hi Ace team! it seams we're on the same journey! what a tedious and horrible experience... It has been a good reading this issue, has we had hit the same walls too 😅 |
Hello @labsforge I am glad to hear that you managed to extract useful information from this messy / organic conversation thread! :) We're using an ad-hoc environment variable Line 96 in 41c3fb5
Line 143 in 41c3fb5
Line 50 in 41c3fb5
Line 6 in 41c3fb5
Extra tip: in another project we also use the |
...as for the Windows code-signing process: we are currently looking into how to make this work as part of our |
The macOS part with notarization we figure it out too, the windows part I'm still thinking on how to... |
Windows signing is implemented via a manual step (not automated through Electron Builder). Closing this issue now. |
this was is a useful discussion. Thank you all ! |
No description provided.
The text was updated successfully, but these errors were encountered: