-
Notifications
You must be signed in to change notification settings - Fork 721
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pin code signing certificate #272
Comments
Right off, the certificate pin is not used at all for updates. Update payloads are not checked with Authenticode right now. Authenticode is used just in two scenarios, which might not even occur in practice, for most users. It has to do with The scenarios are the following:
We could discuss further if you still want to do the pinning in your fork. |
Thank you very much for your reply. Does this mean that also Google doesn't pin the code certificates for updates? If yes, how do you protect against an attacker taking over the update server? |
Considering the current Omaha implementation, it is important to secure both the signing and the update servers. |
Thanks; what do you mean by "securing the signing"? Do you mean making sure that the code signing certificate does not fall into the wrong hands? |
Yes, that includes unauthorized access to the code signing certificate but probably there are other scenarios as well. |
I see. You offered we could discuss further if we want to pin in our fork. Do you think this would be difficult? It seems like the necessary code is there; It would just need to be called from the right places. |
@mherrmann Sorin is the right person to talk to here for sure. Most of my activity in this repo has been landing unit test reliability improvements that we've found useful downstream on Edge. |
I suggest the following to do signing certificate pinning:
This are the high level ideas I can come up right now. Please do ask questions, we are glad to help. |
Thank you very much @sorinj. We will look into this. I will try to report back here once I know more. |
Thank you for your work on Omaha. My agency uses it to help many other companies implement automatic update solutions with it.
We would like to pin the code signing certificates accepted by the client. Could you give pointers what needs to be done in addition to changing the constants in
const_code_signing.h
? It feels like just changing those constants can't be enough, or else it would not be possible to update with open source Omaha at all, because outside organizations don't have the certificates mentioned there.In this particular project, the update binary is an MSI. If any special logic is necessary for pinning MSI signatures, it would also be great if you could let me know.
I'm taking the liberty to CC you @roander-msft because you may not receive notifications but seem to be doing a lot of work with Omaha. I hope you don't mind the spam.
Thank you again,
Michael
The text was updated successfully, but these errors were encountered: