tsunamods-codes/7th-Heaven

How to verify installation is secure

thebearup opened this issue · 5 comments

Trying to get Seventh Heaven up and running, but encountered several security concerns

  • Edge Browser and Microsoft Defender both warn me that the app is unrecognized and potentially untrustworthy. I tried downloading older versions (thinking this was due to the freshness of the release) but still saw the same warnings
  • VirusTotal also seems to be skeptical of the installer.
  • I don't see any checksums for verifying authenticity of the downloaded file

It's also unclear if this is an installer or portable executable. I'd hate to run an untrusted installer with admin privileges, but a portable exe would be reasonably safe in an unprivileged kiosk account.

Thanks,

Hello @thebearup,

Thanks for raising this up. We currently provide the full source code for heuristic analysis purposes, we do build on the official Github Action Microsoft hosted runners, we upload the end result from there to the Github releases and we upload the same binary to Virus Total to let you know transparently about the result.

It's a very good suggestion to attach a checksum for the exe, which we'll try to cover. But to answer your question: it's up to you. You have all the means to verify everything if you want to, everything is fully FOSS and you're welcome to build it yourself if you don't trust us, instructions are included. If it helps though, we have already more than 150k downloads and users using 7th Heaven and it's the least of our goals to provide unsafe or malware code.

What Virus Total identifies are false positives because of the Windows APIs we need to use to ensure proper injection of the mods, however to ensure this happens with the lower permissions possible we rewrote the stack to not require admin permissions and to run with your own user. This is also the reason why our installer does NOT run with admin permissions and we by default install it on your own user app data install path.

In the end is up to you to decide, but still thanks for the ideas and we'll try our best to improve. If you have any other feedback that can help enforce this trust, is more than welcome :)

Thanks for the thorough explanation :) It's clear you and the team have put a lot of work into making this safe.

  • I looked into code-signing certificates, but these seem rather expensive.
  • It looks like the binary can be submitted to Microsoft for scanning, which would hopefully prevent it from being flagged as malicious. I'm glad to submit it for you if that helps :)
  • Another great avenue is submission to the Windows Store, as the vetting process should give users reasonably high confidence about safety/security. It also helps with discoverability. I'd be glad to look into that too if/when I get cycles.

Thanks for getting back!

It looks like the binary can be submitted to Microsoft for scanning, which would hopefully prevent it from being flagged as malicious. I'm glad to submit it for you if that helps :)

This one could be a good candidate to be used for stable releases, but for Canaries it would be overwhelming for them. Although it would be an async activity, so we can't afford to wait for their corporate times to approve our software. If you have contacts in MSFT and they're willing to help us in this process, we'd be more than happy to work with them!

Another great avenue is submission to the Windows Store, as the vetting process should give users reasonably high confidence about safety/security. It also helps with discoverability. I'd be glad to look into that too if/when I get cycles.

Because of how 7th Heaven works can't be packaged for the MS Store, as it requires special APIs that are not allowed AFAIK. But again if someone from MSFT is willing to support us and make an analysis and let us know what might be needed, and if they allow to publish the app for free, we might explore this as well.

Happy to announce now releases come with a checksum file you can download next to the installer to verify the setup integrity as well :) Thanks for the suggestion.