Comments (18)
@emtec-jim and @godofjesters summed things up pretty nicely.
I'll just add that it's unlikely that Immybot will provide signed binaries. I can't speak for them, but I can think of a few reasons why I already know they'd say no.
I personally won't be purchasing a certificate to sign them either.
However, I did make changes in the latest preview
image that I hope will help some of this.
- When downloading the attended support client (i.e. "Remotely_Desktop.exe"), the server URL now gets encoded in the file name. The file contents are no longer modified, so the self-signed cert I've been using in CI/CD will remain intact.
- This alone doesn't solve the SmartScreen warnings, but at least the signature can be compared to the known thumbprint of
463ebfa9dc6a1bdcafa643432c843067e5312b78
to verify authenticity.
- This alone doesn't solve the SmartScreen warnings, but at least the signature can be compared to the known thumbprint of
- I added a "Deploy" page (screenshot below) that allows you to upload custom (e.g. signed) binaries for the attended support client.
- You can then copy the URL to send to customers, and they'll get your signed copy.
- These files get saved to the Docker volume mapped in the compose file.
I understand this might not be the desired solution, but this is what I had time/resources to complete. Hopefully it helps some.
from remotely.
Download the agent from your remotely server like a customer would. Sign it with your own certificate. Host the signed version on your website for your customers.
That's what we did.
from remotely.
@emtec-jim please elaborate on how to do so, because this is the only hurdle for me using this system.
from remotely.
You will need your own code signing certificate - you can either generate one internally (self signed, untrusted) or buy one from a commercial certificate provider. Once you have that, it's relatively simple.
- Download the remote support agent you want to sign from your instance of Remotely to your PC, just like a user would. That will give you a local copy of the exe file ready to sign.,
- Using microsoft's signtool and sign the exe you downloaded with your certificate (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)
- Upload the signed file to your own website for users to download and use.
That's the way we did it and it worked for us.
Theoretically it wouldn't be too hard to integrate binary signing into the Remotely download routine (there are Linux tools to sign windows binaries) but that is not something I have time to do right now - what we did worked for us and solved the problem, not ideal, but good enough.
from remotely.
OpenSSL to the rescue?
from remotely.
No success following this video, so I reverted back to Anydesk: https://youtu.be/m77p30bvY5E?si=B2roSyx1i2KE7ajB. I might return when the developers find a way to sign the .exe automatically for free.
from remotely.
that's how we do it as well, sign our exe after creation and host it on our webserver
from remotely.
I’d love to know how, like I said I wasn’t able to using the tutorial. Maybe there’s an easier way?
from remotely.
unfortunately i'm not the admin for my company that has access to our cert so i don't know the steps. i only know that we do have the exe created and we're able to sign it with our cert. it stops the exe from being stopped when downloading and as far as i've seen it doesn't trip any av's on our customers computers.
from remotely.
I provided a link to the relevant Microsoft documentation already - https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool - there are numerous example commands at the end of that document that show you exactly how to achieve what you are trying to do.
At the most basic, signtool sign /f MyCert.pfx /t http://timestamp.digicert.com /fd SHA256 MyFile.exe
is the command you need, substituting MyCert.pfx for your signing certificate and MyFile.exe for the remotely executable.
You WILL need to buy a code-signing certificate from a recognised CA for this to work properly.
from remotely.
The thing I love about open source, is its price. So there isn’t a way to do this for free? I mean Let’s Encrypt lets you encrypt everything for free on the web, so why not software? Certificates can be hella expensive.
from remotely.
No success following this video, so I reverted back to Anydesk: https://youtu.be/m77p30bvY5E?si=B2roSyx1i2KE7ajB. I might return when the developers find a way to sign the .exe automatically for free.
i honestly wish you luck.
from remotely.
The thing I love about open source, is its price. So there isn’t a way to do this for free? I mean Let’s Encrypt lets you encrypt everything for free on the web, so why not software? Certificates can be hella expensive.
First, open source does not mean free.
Second, if you own the endpoints (IE: Enterprise) then you can do it for free with a code signing cert issued by your internal PKI. You only need a public code signing cert (not an encryption cert) for a publicly trusted install. Due to the level of validation involved in a code signing cert, I doubt they'll ever be free. It's much more involved than let's encrypt where they're only validating ownership of a domain.
from remotely.
If you aren't running a business you have no need to sign the executable - you know it's safe so just ignore the warnings. If you are running a business then the cost of a certificate is simply a business overhead that you need to account for. A cert can be had for under £200 a year if you shop around - hardly a significant expense given most RMM tools will cost you more than that for 10 endpoints in a year.
Code Signing certs require validation of the business/organization they are being issued to, they have to or they'd be useless for their intended purpose. That is never going to be free.
At any rate, you've had an answer to your question and this is veering way off topic so I'll leave it there.
Good luck.
from remotely.
Hi,
I think that this project needs code signing.
Speaking form my company we will be happy to pay even a 100USD/year to have signed binary and MSI/EXE installe.
Speaking as OSS enthusiast I would like to point you to SignPath Foundation (https://signpath.org/about/) hoping that you will ship a signed exe soon.
Thanks
from remotely.
The problem here is that the executable is customised for each installation, as such it needs to be signed when it's created. I know some projects have made this into something of a business model by charging for signed binaries but honestly I doubt the revenue generated would cover the overheads even if someone were to want to undertake it.
If there really is interest in this it would be far better to build the capability to sign the binaries into the application. There are open-source tools that can sign executables files so it should be possible to modify the application in such a way that you can upload a certificate (and key) which is then used to sign the downloads dynamically.
Yes, there are potential issues with that (it's never a great idea to have a key readily accessible) but it's probably the only way to get code signing into the Remotely app as things stand.
As I've said before, I don't have the resources to do this myself right now and there is a work-around for those who truly need it. Yes, it would be nice to have it but unless someone steps up to contribute the necessary code I can't see it happening,
from remotely.
Hi,
AFAIK the code signing for PE does indeed allow to embed specific data without resigning the code.
Some reference in case someone is able to work on this for the project:
https://learn.microsoft.com/it-it/archive/blogs/ieinternals/caveats-for-authenticode-code-signing
https://github.com/mgaffigan/passdata/blob/master/PassData.ClientSide/StampReader.cs
This would allow to sign the installer within the software release and have all installs to embed the server address and server id
from remotely.
how often do you need to generate a new exe? you should only need to generate one when the server gets updated. generate one copy, sign it, get it to whoever. if you constantly need to generate a download, yes i can see the need for signing, but what am i missing?
from remotely.
Related Issues (20)
- Docker healthcheck interval is very long, impacting Traefik (and maybe K8s?) HOT 3
- FYI - remotely.one is down HOT 1
- c_method_fn(1).txt
- change the port HOT 2
- Wie Installiere ich diese .PS1 HOT 11
- High CPU, RAM and I/O usage HOT 15
- How to build HOT 1
- add certificate in remotly step by step HOT 2
- Turn off auto-update the agent on Windows HOT 1
- FEATURE REQUEST: Record the remote screen HOT 1
- Device ID is missing. Cant use Get support !
- How to update? look like everything has changed... HOT 2
- SSO OAUTH HOT 3
- Add More Modern TLS Support for Install-Remotely.ps1 HOT 1
- Migration from older Remotely Version to the newest one failed how to migrate DB and get login working again HOT 1
- ListView for the Home Screen HOT 4
- Docker: ResetPassword link uses wrong hostname HOT 1
- can't connect if i rename the exe HOT 2
- What's with Docker Tags? HOT 3
- Linux client installation issues. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from remotely.