EV Certificate signing

[deajan]

Hello,

I am a WinNUT user for a couple of months now, thanks for the effort.
Just one thing, how about signing the executables and installer with a code signing certificate, so you don't get the Windows defender shield and other antivirus alerts ?

As open source developper myself, I do posses such a certificate, and could sign "general release" executables for you if needed.

[gbakeman]

Greetings @deajan ,

I'm currently upgrading build automation, and one thing I'd like to do is automate executable signing with a certificate from Microsoft that should enable us to submit crash reports directly to their error handling facilities.

Thank you for your offer of a certificate - please stay tuned and hopefully we'll have some signed builds.

[deajan]

Hmm...

executable signing with a certificate from Microsoft

AFAIK Microsoft does not distribute free certs, am I right ?
I am talking EV certificates that cost hundreds per year, eg https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode

[gbakeman]

Sorry for not being clear before-

I'm looking into joining the Microsoft Partner program (free, I hope), and subsequently the Windows Desktop Application program. My thinking is that this allows WinNUT to send telemetry and crash events back to Microsoft so I'll be able to review and identify fixes more quickly. My understanding is that this program also provides a certificate to sign the executable, so I'm hoping that that takes care of this. Please let me know if I'm misunderstanding something!

[deajan]

AFAIK, confirmed by your link, you're supposed to have your own code signing certificate.
Microsoft provides you signtool, in order to sign your executable with said certificate.

That being said, there are OV (cheap) and EV (expensive) certificates, which provide different levels of trust for Authenticode.

[gbakeman]

Apparently I need to look into this more! I've got a laundry list of things ahead of me right now - first is getting build automation up and running, then addressing a few bugs people are experiencing. I'd like to look at this soon, though. I'll come back to this ticket, and hope I can keep your offer on hand.

Thank you!

[deajan]

No problem, but keep in mind that I only can offer to sign the builds for you, as EV certificates come with hardware private keys, non shareable.
So the point would be to sign official releases only.

Keep me posted.

[gbakeman]

Hi @deajan ,

I'm moving further along with setting up CI/CD, and wanted to come back to you for more details on your offer. Would you mind describing how this signing process would work? I'd like to have everything isolated to the build environment so signing would happen there if at all possible.

[deajan]

Hi,

Well the thing with EV certificates is that you can't sign executables without having the actual hardware token, which is unique.
I offered to sign releases only, since this is a manual operation and doesn't happen everyday.
This would mean you publish an executable, I sign it and give it back to you.
AFAIK there's no other way of doing this with EV certificates.

For your CI, you could use a test code signing certificate, and sign with signtool.exe that comes with the windows SDK.

[gbakeman]

I'm really on the fence about this, because having signed code is important for guaranteeing authenticity. WinNUT has historically been built on developers' systems, and for the sake of security (and authenticity, in some way), I've been putting a lot of work into getting the CD system up and running. I feel at least in that way, users can verify the source code directly against the software they download from us. Keeping everything in the domain of GitHub has been an important aspect, and I'm not sure I feel comfortable putting anything in between that, including myself.

In between bouts of writing YAML files and pushing/deleting/amending commits (sigh...), I've tried to do some more research into the concept of code signing. I came across a project called sigstore. My research is once again preliminary, but from my understanding, they're establishing an open-source chain of trust which seems like an ideal fit for an organization like NUTDotNet.

Assuming I still haven't quite grasped all of this though, then what I may end up doing is just self-signing a certificate, throwing the secret into the project or organization, and committing the public cert directly to the repository. It'll be an ask, I think, for people to install/trust the certificate. But hopefully people would consider accepting that.

I find myself getting distracted now on upgrading our update routine in WinNUT, so it'll be some time before I'm seriously looking at signing again. I just want to emphasize how much I appreciate you offering to do this and keeping the offer available.

[deajan]

Unless your CI is local, you won't be able to use your signing key (EV or OV since 3rd April) since it needs a physical USB token.
The problem with the sigstore is well discussed here

Anyway, if someday you need to sign with an authenticode trusted certificate, I'll be around.