Signing on Windows: "Windows protected your PC"

Question

Signing on Windows: "Windows protected your PC"

Opened this issue 4 years ago · 18 comments

Answer 1 · 2020-07-31T00:47:02.000Z

No idea why this happens...? Will need to investigate.

Answer 2 · 2020-07-31T02:36:34.000Z

I was not sure whether we have Windows signing at the moment of filing. If we do sign and this happens, perhaps adjusting Windows settings could address that? Maybe there is a similar trust level hierarchy "app store approved" / "signed" / "unsigned" on Windows, I’m going to have that investigated…

…

On 31 Jul 2020, at 9:47 AM, Ronald Tse ***@***.***> wrote: No idea why this happens...? Will need to investigate. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

Answer 3 · 2020-07-31T02:39:38.000Z

(although “Unknown published” must mean something is not right with signing)

…

On 31 Jul 2020, at 9:47 AM, Ronald Tse ***@***.***> wrote: No idea why this happens...? Will need to investigate. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

Answer 4 · 2020-07-31T02:46:04.000Z

Yes we have Windows signing; previously the signing worked -- no warning was displayed on my Windows machine on launch of the application. The Windows code signing certificate is from DigiCert.

Answer 5 · 2020-08-21T06:15:45.000Z

Yes we have Windows signing; previously the signing worked -- no warning was displayed on my Windows machine on launch of the application. The Windows code signing certificate is from DigiCert.

@ronaldtse it appears that this warning is displayed only when you open the app for the first time. (Presumably, for each new version too.) I still think it has something to do with signing

Answer 6 · 2020-08-21T06:16:12.000Z

It was confirmed with latest v1.6.17

Answer 7 · 2020-09-04T07:31:57.000Z

We're apparently missing Windows signing in this repo.

Answer 8 · 2020-09-18T17:09:22.000Z

The issue is still present in the latest version Glossarist 1.6.38.

Answer 9 · 2020-09-19T10:10:43.000Z

Windows signing in this repo is enabled, and you can see in the build logs. It seems to succeed.

https://github.com/glossarist/glossarist-desktop/runs/1135873363?check_suite_focus=true

2020-09-18T20:52:53.6120773Z   • install prebuilt binary  name=keytar version=6.0.1 platform=win32 arch=x64
2020-09-18T20:52:53.9214455Z   • packaging       platform=win32 arch=x64 electron=9.1.1 appOutDir=dist\win-unpacked
2020-09-18T20:52:54.4634430Z   • downloading     url=https://github.com/electron/electron/releases/download/v9.1.1/electron-v9.1.1-win32-x64.zip size=70 MB parts=4
2020-09-18T20:52:56.0734680Z   • downloaded      url=https://github.com/electron/electron/releases/download/v9.1.1/electron-v9.1.1-win32-x64.zip duration=2.111s
2020-09-18T20:53:04.3448090Z after build; disable sandbox
2020-09-18T20:53:04.8849840Z   • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z size=5.6 MB parts=1
2020-09-18T20:53:05.4275786Z   • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z duration=966ms
2020-09-18T20:53:06.5467495Z   • signing         file=dist\win-unpacked\Glossarist.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:53:10.2819633Z   • building        target=nsis file=dist\install-glossarist-desktop-1.6.40.exe archs=x64 oneClick=true perMachine=false
2020-09-18T20:53:10.2822033Z   • building        target=portable file=dist\glossarist-desktop-1.6.40-portable.exe archs=x64
2020-09-18T20:53:11.2075931Z   • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z size=1.3 MB parts=1
2020-09-18T20:53:11.2077815Z   • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z duration=747ms
2020-09-18T20:53:12.3343836Z   • signing         file=dist\win-unpacked\resources\elevate.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:51.8865021Z   • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z size=731 kB parts=1
2020-09-18T20:54:52.2273760Z   • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z duration=678ms
2020-09-18T20:54:53.6719133Z   • signing         file=dist\glossarist-desktop-1.6.40-portable.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:53.7076670Z   •   Signing NSIS uninstaller  file=dist\__uninstaller-nsis-glossarist.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:55.2206117Z   • publishing      publisher=Github (owner: glossarist, project: glossarist-desktop, version: 1.6.40)
2020-09-18T20:54:56.2066206Z   • uploading       file=glossarist-desktop-1.6.40-portable.exe provider=GitHub
2020-09-18T20:54:56.2292125Z   • signing         file=dist\install-glossarist-desktop-1.6.40.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-Z9hdVL\0.p12
2020-09-18T20:54:57.9975555Z   • building block map  blockMapFile=dist\install-glossarist-desktop-1.6.40.exe.blockmap
2020-09-18T20:54:58.8300126Z   • uploading       file=install-glossarist-desktop-1.6.40.exe.blockmap provider=GitHub
2020-09-18T20:54:58.8319026Z   • uploading       file=install-glossarist-desktop-1.6.40.exe provider=GitHub
2020-09-18T20:55:01.2373329Z Done in 128.72s.

Perhaps if someone can show the signature details using SignTool.exe?
https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature

Answer 10 · 2020-09-19T13:30:16.000Z

@batyr-tar will take a look at it

Answer 11 · 2020-09-19T14:40:40.000Z

So far I think these are two somewhat separate issues:

It is important that signing works (Batyr will clarify in a bit using signtool)
However, even if it does work, “Windows protected your PC” screen may still appear—from what I gather, Microsoft is using some sort of reputation system, and even despite proper trusted signature it will throw this screen for new software until it is considered “trusted”.

Answer 12 · 2020-09-19T14:41:30.000Z

Once proper signature is confirmed, I think we can consider this screen “unfixable” until Microsoft’s reputation black box starts favoring us.

Answer 13 · 2020-09-19T15:30:10.000Z

The certificate chain looks adequate, but for some reason is not trusted. I am not sure whether it is an issue with my Windows or SDK installation.
Digital Signatures tab in Properties shows no problems.

Answer 14 · 2020-09-19T16:13:34.000Z

Thanks @batyr-tar

Answer 15 · 2020-09-20T19:08:26.000Z

Same error on another Windows machine:

Verifying: C:\Users\froot\Downloads\install-glossarist-desktop-1.6.40.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha1): 2693FA123AE5A7925C043B11AB2C6F730EB8B1CC

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 07:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 19:00:00 2028
        SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

            Issued to: Ribose Inc.
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Fri Nov 18 19:00:00 2022
            SHA1 hash: 597A5F33C2C77E37D60D034E89A94AF8DA8BF4E7

The signature is timestamped: Sat Sep 19 03:54:56 2020
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 07:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 07:00:00 2021
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Tue Oct 22 07:00:00 2024
            SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D

SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Answer 16 · 2020-09-21T00:54:30.000Z

This may be related...

https://docs.microsoft.com/en-us/security/trusted-root/2020/july2020

This release will add the EV Code Signing OID to the following roots:
...
16. Digicert \ DigiCert Assured ID Root CA \ 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

Apparently it is supposed to be around? Woot?

Answer 17 · 2020-09-21T00:56:04.000Z

Ah, someone else has run into this issue: storj-archived/storjshare-gui#36 (comment)

Answer 18 · 2020-09-21T16:11:14.000Z

yes, saw that issue too the certificate is supposed to be trusted since July so it's unclear why it's an error note that those guys don't get verification error from signtool but we do!

…

On 21 Sep 2020, at 9:56 AM, Ronald Tse ***@***.***> wrote: Ah, someone else has run into this issue: storj-archived/storjshare-gui#36 (comment) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.