Establish release workflow using GitHub Actions

Question

Establish release workflow using GitHub Actions

Closed this issue 4 months ago · 6 comments

mohit0121 commented 6 months ago

Preflight Checklist

I have fully read the README and it did not solve the problem.
I have searched all open and closed issues for the same bug report without success.

EverythingToolbar Version

1.3.4

Everything Version

1.3.4 x64

Windows Version

Win 11 Enterprise 22H2

Steps to reproduce

https://www.hybrid-analysis.com/sample/ed78aec2473700527c01cb0ab4950b33c0c3cee44f40372241b16d8b798b5e77?environmentId=140

Expected Behavior

file analysis link above

Actual Behavior

file analysis link above

Screenshots

No response

Log output

file analysis link above

Additional Information

No response

Answer 1 · 2024-08-04T19:01:57.000Z

Hi @mohit0121, I reported it as a false positive. Thanks for pointing it out!

Answer 2 · 2024-08-14T07:36:53.000Z

@srwi Would you be kind enough to getting it digitally signed by a Trusted CA / Developer of this app please?

Answer 3 · 2024-08-14T17:26:13.000Z

I'm not really looking to spend money on a code signing certificate, but I’m thinking about setting up a GitHub Actions release workflow instead. This could help show that the installer is safe by making the build process more transparent.

Answer 4 · 2024-08-23T05:23:30.000Z

EverythingToolbar-1.3.4.msi _ Sandbox _ Counter Adversary Operations _ Intelligence.pdf
EverythingToolbar-1.3.4.msi _ Sandbox _ Counter Adversary Operations _ Static Analysis.pdf
EverythingToolbar-1.3.4.msi _ Sandbox _ Counter Adversary Operations _ Dynamic Analysis.pdf
EverythingToolbar-1.3.4.msi _ Sandbox _ Counter Adversary Operations _ Mitre Attack.pdf

1.Would you be kind enough to confirm, if these vulnerabilities are false positive and these can be safely ignored?
2. I would like to know more about GitHub Actions release workflow. How will this suffice requirements of digital signatures from Trusted CA?

Answer 5 · 2024-08-25T14:52:03.000Z

Would you be kind enough to confirm, if these vulnerabilities are false positive and these can be safely ignored?

Yes, they can be ignored. There is no spyware in EverythingToolbar.

I would like to know more about GitHub Actions release workflow. How will this suffice requirements of digital signatures from Trusted CA?

EverythingToolbar is fully open-source and everybody can look at the code. Currently the release process consists of me manually creating the installer on my machine from that code. Technically at that time I could still inject some malware in there (which I don't). By automating the release workflow in GitHub Actions, the whole process would be made transparent and those who care can look at how the installer was created based on a snapshot of the code at that point in time.

This has nothing to do with digital signatures from a trusted CA. I don't have such a certificate and I am not planning to get one because I am not willing to spend money on one, which to my knowledge I would have to do.

Answer 6 · 2024-08-31T10:34:21.000Z

I added a release workflow via Github Actions that creates the installer and the sha256 hash that can be used to verify that the msi has not been tampered with. I think for now this is all I can do. The next release will be performed using that workflow.

https://github.com/srwi/EverythingToolbar/blob/master/.github/workflows/release.yml