Problem
When I try to install Fleetd via .msi, I get a warning that says the package I'm trying to install is untrusted and may be malicious. This is quite alarming and reduces uptake of Fleet.
Solution
The Fleet MSI installer for windows and the Orbit windows binaries (orbit.exe and fleet-desktop) should have VERSIONINFO information and should be code-signed with FleetDM code signing certificate. Having signed binaries with proper VERSIONINFO improves the quality of release deliverables, helping customers to track their deployed versions better, and preventing the binaries from being flagged as malicious by Windows SmartScreen/Defender
How?
-
VERSIONINFO can be included by adding a resource entry to the resulting windows binary. See here, here, and here for more details on this.
-
Code signing of windows binaries should be done within fleetdm/wix through osslsigncode as suggested by @zwass. The solution for code signing the windows binaries should follow what's done on MacOS (github actions)
Due to amount of changes required, the recommendation is to address this issue through 3 separate PRs:
- Adding VERSIONINFO to the Fleet MSI installer
- Adding VERSIONINFO to the Windows Orbit binaries (orbit.exe and fleet-desktop.exe)
- Adding a Github action to sign the Fleet MSI Installer and Windows orbit binaries (orbit.exe and fleet-desktop.exe) using a self-signed certificate
Problem
When I try to install Fleetd via .msi, I get a warning that says the package I'm trying to install is untrusted and may be malicious. This is quite alarming and reduces uptake of Fleet.
Solution
The Fleet MSI installer for windows and the Orbit windows binaries (orbit.exe and fleet-desktop) should have VERSIONINFO information and should be code-signed with FleetDM code signing certificate. Having signed binaries with proper VERSIONINFO improves the quality of release deliverables, helping customers to track their deployed versions better, and preventing the binaries from being flagged as malicious by Windows SmartScreen/Defender
How?
VERSIONINFO can be included by adding a resource entry to the resulting windows binary. See here, here, and here for more details on this.
Code signing of windows binaries should be done within
fleetdm/wixthrough osslsigncode as suggested by @zwass. The solution for code signing the windows binaries should follow what's done on MacOS (github actions)Due to amount of changes required, the recommendation is to address this issue through 3 separate PRs: