Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Missing signatures [Windows] #602
On Windows, most files containing executable code (DLLs) have not been signed at all, and some only by the original vendor (not StandardNotes). Also, while the original installer is signed, the built-in updater is directly calling on executable code files which have not been signed.
This means it is currently not possible to use StandardNotes in environments using signature-based code integrity enforcement.
Hey, thank your for your response!
There's two points where signatures are missing:
Both open the user up to the risk of DLL hijacking, especially because the installation directory from where the executable code is sourced is user-writable. Security solutions which use digital signatures to validate or restrict executed code don't rely on the primary executable file (in this case: Standard Notes.exe), but also check dynamically loaded code from other files for valid signatures.