gam.exe is not digitally signed and therefore cannot be whitelisted by publisher with applocker #259
Comments
|
William, Does AppLocker recommend how to get an app digitally signed? Ross |
|
Microsoft, who are the ones behind AppLocker, have some information about codesigning. From what I gather, and I could be very wrong, the non-trivial part is acquiring a certificate for signing code to begin with. These seem to come at a steep cost (one to a few hundred USD/year) and once you have one signing for Windows is "just" a matter of using Signtool.exe or something that implements enough of it to sign on other OS like jsign or osslsigncode. When looking around I found an old video which shows how to use powershells, windows exclusive, Set-AuthenticodeSignature cmdlet to sign an exe. I also tripped over a companies short guide to code signing on different OS which I thought was easy to follow. Now I can understand not wanting to pay hundreds of USD for distributing something for free so I looked around and found that a free solution is on the horizon with sigstore and their fulcio solution. However the problem I wanted solved was signed exes for Windows and Fulcio doesn't solve that according to issue#250 on their github. So it would appear that in the end all I've managed to find points towards how a free solution to this issue would demand a resolution of Fulcio#250, which also seems non-trivial. As such it would appear I've wasted your time with this issue but somehow ended up forcing myself to read up on how certificates work. |
|
@Dazpoet, I'm speculating here, bear with me. Your IT guys might be able to self issue the required cert for free: https://codesigningstore.com/how-to-generate-self-signed-code-signing-certificate This would be useful to sign gam or other pieces of software that have not been digitally signed by their publishers. |
|
@jay-eleven we actually do this for certain in-house tools iirc. However wouldn't that require IT to download each version of gam, sign it and then deploy it through SCCM/Intune/GPO aswell as pushing the self signed certificates needed trusts? The, very, few of us that use GAM normally "install" it ourselves via the .zip file since that works without administrative rights. However I did see some answers in the mailing list about how people checked for latest version of GAM and if it wasn't up to date downloaded a newer version. I wonder if that could be adapted to to download, self sign and then push to the company portal (which we use) somehow. I'll have to ask IT about that though :) |
|
They would need to download the new version and sign it with any certificate they already use to sign other in-house tools. Since the certificate is the same, you already have it in your machine's cert store. I doubt your IT guys will give you the private key so that you can sign apps, but hey, asking never hurts! What most probably will happen is that they'll insist in signing the software themselves. And that's exactly the problem: Ross is so prolific that they might need to download and sign gam several times a week!! And they'll quickly grow tired unless they automate it... :-) In order to determine if a new gam version has been released, you need the to use |
I tried searching here and in the mailing list but got no hits so hopefully this isn't a repeat of an earlier issue.
As it says in the title. My employeer recently started using AppLocker and since then I need to hand IT the .exe file to get a filehash allowed each time I update.
If the software was digitally signed we could blanket-allow it.
I don't know how hard this is to implement nor if anybody else has this issue but if more people start using AppLocker I guess it could be a thing worth looking into.
The text was updated successfully, but these errors were encountered: