Should cygwin's setup*.exe be signed using Sign Tool?

Should cygwin's setup*.exe be signed using Sign Tool?

[David A. Wheeler]

Running setup*.exe produces "Publisher: Unknown publisher", and it's doubtful that many people check the signature of the .exe file before running.  Even if they did, there's the problem that the signature comes from the same place.

Has Cygwin considered signing the installer using Sign Tool? More info:
  https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
  http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/

I believe signing it this way would eliminate the "unknown publisher"; it would also protect the many people who don't follow the current signature-checking process.  This would create a strong barrier against code subversion after release.

The signed executable could also be signed using the current process, so you don't need to *eliminate* any capability.  I can't provide a patch to do this, obviously :-).

--- David A. Wheeler


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Should cygwin's setup*.exe be signed using Sign Tool?

[Andrey Repin]

Greetings, David A. Wheeler!

> Running setup*.exe produces "Publisher: Unknown publisher", and it's
> doubtful that many people check the signature of the .exe file before
> running.  Even if they did, there's the problem that the signature comes from the same place.

> Has Cygwin considered signing the installer using Sign Tool? More info:

Did Microsoft made it available separately? Or is there a description of the
structure of such a signature and/or a free tool that can be used to generate
it?
Last I checked, you have to install a metric ton of garbage to get signtool as
a bonus.

> https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
>  
> http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/

> I believe signing it this way would eliminate the "unknown publisher"; it
> would also protect the many people who don't follow the current
> signature-checking process.  This would create a strong barrier against code subversion after release.

People who don't check signature manually, won't check the credibility of
the embedded signature either.
And it only takes about thirty seconds to fake the lines that are visible in
prompt dialogue.
Been there, done that.

> The signed executable could also be signed using the current process, so you
> don't need to *eliminate* any capability.  I can't provide a patch to do
> this, obviously :-).

Signing executable doesn't alter its behavior in any way, shape or form.
I've had success signing executable archives.


-- 
With best regards,
Andrey Repin
Friday, April 3, 2015 01:17:20

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Should cygwin's setup*.exe be signed using Sign Tool?

[Bryan Berns]

> Has Cygwin considered signing the installer using Sign Tool? More info:
>   https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
>   http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
>
> I believe signing it this way would eliminate the "unknown publisher"; it would also protect the many people who don't follow the current signature-checking process.  This would create a strong barrier against code subversion after release.
>
> The signed executable could also be signed using the current process, so you don't need to *eliminate* any capability.  I can't provide a patch to do this, obviously :-).
>
> --- David A. Wheeler

Ultimately, this is probably a Corinna question since I believe she
compiles the setup executable, but I'll provide my general input as an
software developer.

Firstly, the tools to sign an executable are certainly available as
part of the Windows SDK which is freely downloadable -- so no problem
there.   However, we would have to determine which publicly trusted
certificate to use (using a self-signed cert would likely produce the
same message) and is signing the executable the *right* thing to do.
Since the setup executable is responsible for running a whole bunch of
community contributed post-install executables as part of the
installation process, I'm not sure whether it'd be advisable to stamp
a particular individual's name or company's name on the executive
installer (e.g. Red Hat, for example).  If a tainted executable was
uploaded into the package repository and subsequently flagged, the
certificate authority may have to revoke the certificate which is
never good for publicity of the signer.  For most pieces of software,
the maintainer or the maintainers company's can very confidently vouch
for the content of the installation package and executables within it.
In the Cygwin world, this accountability is a little more distributed
between the package maintainers and source code contributors.  That
said, I have the upmost respect for the package maintainers and I've
never had any security problems with the Cygwin packages other than
stupid antivirus false positives and some dirty limericks that got
installed (my HR department didn't like that).

So that's my two cents.  For all I know the *real* reason it's not
signed is "nobody had asked for it".

- Bryan

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Should cygwin's setup*.exe be signed using Sign Tool?

[David A. Wheeler]

David A. Wheeler inquired:
> > Has Cygwin considered signing the installer using Sign Tool? More info:

On Fri, 3 Apr 2015 01:22:15 +0300, Andrey Repin <anrdaemon@yandex.ru> wrote:
> Did Microsoft made it available separately? Or is there a description of the
> structure of such a signature and/or a free tool that can be used to generate it?

Microsoft makes signtool available as part of its SDK at no charge (gratis, not libre):
  https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx

This page points to some alternatives:
  http://stackoverflow.com/questions/18211594/windows-code-signing-process-alternative-to-ms-signtool-exe
They note that Mono includes "signcode", and it's libre (as well gratis).  Instructions here:
  https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode


> Last I checked, you have to install a metric ton of garbage to get signtool as
> a bonus.

It seems to be a short ton.  The default installs a lot, but you can deselect much.
It's not tiny due to dependencies, but it's not *everything*.

Also, you *only* have to install it on the system that does the signing;
no other system needs it.  It's good to have a separate signing system anyway.

> People who don't check signature manually, won't check the credibility of
> the embedded signature either.
> And it only takes about thirty seconds to fake the lines that are visible in
> prompt dialogue.

Clearly this is limited.  But these signatures are automatically checked by Windows, and
the publisher is displayed for review before acceptance, which raises the bar a little.
The number of people who check the signatures on setup*.exe is probably pretty small;
I'm hoping to raise the safety bar for everyone else.

There's also an appearance factor: running an unsigned app looks scarier
(there's a warning "The publisher could not be verified...", possibly followed by a User Account
warning again noting the 'unknown' publisher).  Having a signature may
make users and their admins more confident that it's okay to use Cygwin.


--- David A. Wheeler

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Should cygwin's setup*.exe be signed using Sign Tool?

[David A. Wheeler]

On Thu, 2 Apr 2015 21:23:16 -0400, Bryan Berns <bryan.berns@gmail.com> wrote:
> Since the setup executable is responsible for running a whole bunch of
> community contributed post-install executables as part of the
> installation process, I'm not sure whether it'd be advisable to stamp
> a particular individual's name or company's name on the executive
> installer (e.g. Red Hat, for example).

I would expect the publisher to be "The Cygwin Project".
That's what the website says, after all!

In my mind, the point of the signature would be to assure that you have the correct
(untainted) installer, and that the other software installed was the one from Cygwin.
As far as community install issue goes, the same this is true for Fedora, Debian, etc.,
and that seems to be reasonably understood.

--- David A. Wheeler

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Should cygwin's setup*.exe be signed using Sign Tool?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]

On Apr  2 23:27, David A. Wheeler wrote:
> On Thu, 2 Apr 2015 21:23:16 -0400, Bryan Berns <bryan.berns@gmail.com> wrote:
> > Since the setup executable is responsible for running a whole bunch of
> > community contributed post-install executables as part of the
> > installation process, I'm not sure whether it'd be advisable to stamp
> > a particular individual's name or company's name on the executive
> > installer (e.g. Red Hat, for example).
> 
> I would expect the publisher to be "The Cygwin Project".
> That's what the website says, after all!
> 
> In my mind, the point of the signature would be to assure that you have the correct
> (untainted) installer, and that the other software installed was the one from Cygwin.
> As far as community install issue goes, the same this is true for Fedora, Debian, etc.,
> and that seems to be reasonably understood.

We're not going to change anything.  From my POV there's no good reason
to use Windows tools, especially given that the entire infrastructure is
running on an RHEL box.  So we're using the key on sourceware.org with
the GPG tool running under Linux on sourceware.org.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Should cygwin's setup*.exe be signed using Sign Tool?

[Jon TURNEY]

On 02/04/2015 19:13, David A. Wheeler wrote:
> Running setup*.exe produces "Publisher: Unknown publisher", and it's doubtful that many people check the signature of the .exe file before running.  Even if they did, there's the problem that the signature comes from the same place.
>
> Has Cygwin considered signing the installer using Sign Tool? More info:
>    https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
>    http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
>
> I believe signing it this way would eliminate the "unknown publisher"; it would also protect the many people who don't follow the current signature-checking process.  This would create a strong barrier against code subversion after release.
>
> The signed executable could also be signed using the current process, so you don't need to *eliminate* any capability.  I can't provide a patch to do this, obviously :-).

I don't think this is obvious at all.  You can't provide the 
certificate, but you can provide a patch.

However, saying "install Windows SDK, use signtool" is not a solution, 
for reasons already discussed.

The actual work that needs to be done here is to identify an alternative 
open source signing tool and how to use it.

It would be nice to have such a tool packaged for cygwin, as that would 
allow people to sign any MinGW-w64 executables they make...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Should cygwin's setup*.exe be signed using Sign Tool?

[René Berber]

On 4/9/2015 8:05 AM, Jon TURNEY wrote:
[snip]
> The actual work that needs to be done here is to identify an alternative
> open source signing tool and how to use it.
> 
> It would be nice to have such a tool packaged for cygwin, as that would
> allow people to sign any MinGW-w64 executables they make...

I've been using osslsigncode for a long time.

Ref: http://sourceforge.net/projects/osslsigncode/

It used to compile OTB in Cygwin (as well as Linux), depends on OpenSSL,
and libcurl.

But that was version 1.5.2.

The current version, 1.7.1, which on the way added "support for
compiling and running on Windows" messed things up (the usual way,
assuming that it is compiling for native Windows).  I fix it by
disabling HAVE_WINDOWS_H in the generated config.h .
-- 
René Berber


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple