Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code Signing of ASAR files, especially for Windows operating system #123

Open
drjasonharrison opened this issue May 26, 2017 · 10 comments
Open

Comments

@drjasonharrison
Copy link

@drjasonharrison drjasonharrison commented May 26, 2017

With the increasing usage of Electron-builder to create Windows app, I believe that the lack of support for signing ASAR files, and the confirmation that the asar files are signed, will lead to a malicious modification of files in a users AppData\Local*\app*\resources

Easy targets include failure of the developer to use electron-winstaller to sign all of the .dlls and Update.exe. For example, at some companies third party code signing utilities and signing servers are used instead of distributing certificates to build servers.

As of this point electron does not check that asar files are signed, and electron-winstaller does not (can not) sign the files, even with a detached signature, and have this signature verified at runtime. SInce the asar (and "raw" javascript) can include shell commands that might ask for elevated permissions, especially at installation time, or use a zero-day exploit, electron apps are all potential targets for malicious code.

@develar
Copy link

@develar develar commented May 29, 2017

Discussion started here — electron/electron-packager#656 (comment)

I will continue here (since issue can be fixed only on electron side, not in userland).

I propose to validate asar file. Using sha hash (stored in the executable file / Info.plist, so, will be not possible to modify without broke code signature).

Regardless of how is Windows bad and unsecure, electron should not allow to bypass code signing so easy.

@MarshallOfSound @kevinsawicki Will electron team accept such PR? I will have several free days soon and I want to experiment.

@develar
Copy link

@develar develar commented May 29, 2017

Another option is to put all static assets in a native library file. .asar becomes .dll or .so/.a

It is not an option because DLL signature is not checked. I am going to experiment with windows resources to store asar files or using checksum to verify external asar file.

As @MarshallOfSound said, even on macOS code signing of non-executable files means nothing. Nothing. App bundle will not pass static validation, but... dynamic validation (performed on run) will be passed. Tested on non-Electron Java application, where ALL jars are signed, but regardless of that, jar can be modified and app can be still runned without any warning. So, code signing for Electron apps currently does nothing. Absolutely nothing. You can simply download any verified signed app, replace asar file, and voila.

@drjasonharrison
Copy link
Author

@drjasonharrison drjasonharrison commented May 29, 2017

What are your gatekeeper settings? System Preferences > Security & Privacy > Allow apps downloaded from

@develar
Copy link

@develar develar commented May 30, 2017

@drjasonharrison Since macOS Sierra no UI setting to disable Gatekeeper. The only way to run unsigned app — using explicit Open or disable Gatekeeper using Terminal (sudo). But Gatekeeper doesn't work for electron/java applications.

@develar
Copy link

@develar develar commented Jun 1, 2017

electron/electron#9648

@TJKoury
Copy link

@TJKoury TJKoury commented Apr 12, 2018

I feel like the open source community needs to come up with its own standard for code signing / verification. It's simple enough to create a hash, and verify the hash.

@davej
Copy link

@davej davej commented Nov 5, 2018

I hate to do a +1 type comment but this is potentially a huge vulnerability and negates the reason for signing code in the first place. It seems like it's only a matter of time before Skype/Slack/VSCode gets packaged up with malicious code and flies under the radar of SmartScreen, Gatekeeper and similar.

Sorry that I have nothing substantial/helpful to add but this issue seems to have been forgotten and I think it's worth surfacing it again.

@rajivshah3
Copy link

@rajivshah3 rajivshah3 commented Apr 9, 2019

Is it possible to revisit this topic? I assume things have changed since 2017 regarding OS security

@bnxi
Copy link

@bnxi bnxi commented Jun 6, 2019

@MarshallOfSound @miniak , I have a suggestion for tamper protection of asar files and other non-PE assets of an electron app on Windows OS. Is there a RFC process for evaluating it or I should just add it to this issue?

@bnxi
Copy link

@bnxi bnxi commented Jun 26, 2019

I'm including my suggestion here, hopefully it will be picked up and evaluated:

The suggestion is to leverage windows catalog file (.cat) that is a single signed file containing crypto hashes of multiple other files. The WinVerifyTrust API has built-in support for trivial verification of catalog file digital signature AND integrity of a files included in the catalog. This method could protect multiple files against tampering (load time protection) regardless of their format using a code signing certificate and by signing a single catalog file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants
@davej @develar @TJKoury @drjasonharrison @rajivshah3 @bnxi and others