Code Signing [Self Defined or global] about remotely HOT 18 CLOSED

@emtec-jim and @godofjesters summed things up pretty nicely.

I'll just add that it's unlikely that Immybot will provide signed binaries. I can't speak for them, but I can think of a few reasons why I already know they'd say no.

I personally won't be purchasing a certificate to sign them either.

However, I did make changes in the latest preview image that I hope will help some of this.

• When downloading the attended support client (i.e. "Remotely_Desktop.exe"), the server URL now gets encoded in the file name. The file contents are no longer modified, so the self-signed cert I've been using in CI/CD will remain intact.
  • This alone doesn't solve the SmartScreen warnings, but at least the signature can be compared to the known thumbprint of 463ebfa9dc6a1bdcafa643432c843067e5312b78 to verify authenticity.
• I added a "Deploy" page (screenshot below) that allows you to upload custom (e.g. signed) binaries for the attended support client.
  • You can then copy the URL to send to customers, and they'll get your signed copy.
  • These files get saved to the Docker volume mapped in the compose file.

I understand this might not be the desired solution, but this is what I had time/resources to complete. Hopefully it helps some.

from remotely.

Download the agent from your remotely server like a customer would. Sign it with your own certificate. Host the signed version on your website for your customers.

That's what we did.

from remotely.

@emtec-jim please elaborate on how to do so, because this is the only hurdle for me using this system.

from remotely.

You will need your own code signing certificate - you can either generate one internally (self signed, untrusted) or buy one from a commercial certificate provider. Once you have that, it's relatively simple.

1. Download the remote support agent you want to sign from your instance of Remotely to your PC, just like a user would. That will give you a local copy of the exe file ready to sign.,
2. Using microsoft's signtool and sign the exe you downloaded with your certificate (https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool)
3. Upload the signed file to your own website for users to download and use.

That's the way we did it and it worked for us.

Theoretically it wouldn't be too hard to integrate binary signing into the Remotely download routine (there are Linux tools to sign windows binaries) but that is not something I have time to do right now - what we did worked for us and solved the problem, not ideal, but good enough.

from remotely.

OpenSSL to the rescue?

from remotely.

No success following this video, so I reverted back to Anydesk: https://youtu.be/m77p30bvY5E?si=B2roSyx1i2KE7ajB. I might return when the developers find a way to sign the .exe automatically for free.

from remotely.

that's how we do it as well, sign our exe after creation and host it on our webserver

from remotely.

I’d love to know how, like I said I wasn’t able to using the tutorial. Maybe there’s an easier way?

from remotely.

unfortunately i'm not the admin for my company that has access to our cert so i don't know the steps. i only know that we do have the exe created and we're able to sign it with our cert. it stops the exe from being stopped when downloading and as far as i've seen it doesn't trip any av's on our customers computers.

from remotely.

I provided a link to the relevant Microsoft documentation already - https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool - there are numerous example commands at the end of that document that show you exactly how to achieve what you are trying to do.

At the most basic, signtool sign /f MyCert.pfx /t http://timestamp.digicert.com /fd SHA256 MyFile.exe is the command you need, substituting MyCert.pfx for your signing certificate and MyFile.exe for the remotely executable.

You WILL need to buy a code-signing certificate from a recognised CA for this to work properly.

from remotely.

The thing I love about open source, is its price. So there isn’t a way to do this for free? I mean Let’s Encrypt lets you encrypt everything for free on the web, so why not software? Certificates can be hella expensive.

from remotely.

No success following this video, so I reverted back to Anydesk: https://youtu.be/m77p30bvY5E?si=B2roSyx1i2KE7ajB. I might return when the developers find a way to sign the .exe automatically for free.

i honestly wish you luck.

from remotely.

The thing I love about open source, is its price. So there isn’t a way to do this for free? I mean Let’s Encrypt lets you encrypt everything for free on the web, so why not software? Certificates can be hella expensive.

First, open source does not mean free.
Second, if you own the endpoints (IE: Enterprise) then you can do it for free with a code signing cert issued by your internal PKI. You only need a public code signing cert (not an encryption cert) for a publicly trusted install. Due to the level of validation involved in a code signing cert, I doubt they'll ever be free. It's much more involved than let's encrypt where they're only validating ownership of a domain.

from remotely.

If you aren't running a business you have no need to sign the executable - you know it's safe so just ignore the warnings. If you are running a business then the cost of a certificate is simply a business overhead that you need to account for. A cert can be had for under £200 a year if you shop around - hardly a significant expense given most RMM tools will cost you more than that for 10 endpoints in a year.

Code Signing certs require validation of the business/organization they are being issued to, they have to or they'd be useless for their intended purpose. That is never going to be free.

At any rate, you've had an answer to your question and this is veering way off topic so I'll leave it there.

Good luck.

from remotely.

Hi,
I think that this project needs code signing.
Speaking form my company we will be happy to pay even a 100USD/year to have signed binary and MSI/EXE installe.
Speaking as OSS enthusiast I would like to point you to SignPath Foundation (https://signpath.org/about/) hoping that you will ship a signed exe soon.
Thanks

from remotely.

The problem here is that the executable is customised for each installation, as such it needs to be signed when it's created. I know some projects have made this into something of a business model by charging for signed binaries but honestly I doubt the revenue generated would cover the overheads even if someone were to want to undertake it.

If there really is interest in this it would be far better to build the capability to sign the binaries into the application. There are open-source tools that can sign executables files so it should be possible to modify the application in such a way that you can upload a certificate (and key) which is then used to sign the downloads dynamically.

Yes, there are potential issues with that (it's never a great idea to have a key readily accessible) but it's probably the only way to get code signing into the Remotely app as things stand.

As I've said before, I don't have the resources to do this myself right now and there is a work-around for those who truly need it. Yes, it would be nice to have it but unless someone steps up to contribute the necessary code I can't see it happening,

from remotely.

Hi,
AFAIK the code signing for PE does indeed allow to embed specific data without resigning the code.
Some reference in case someone is able to work on this for the project:
https://learn.microsoft.com/it-it/archive/blogs/ieinternals/caveats-for-authenticode-code-signing
https://github.com/mgaffigan/passdata/blob/master/PassData.ClientSide/StampReader.cs

This would allow to sign the installer within the software release and have all installs to embed the server address and server id

from remotely.

how often do you need to generate a new exe? you should only need to generate one when the server gets updated. generate one copy, sign it, get it to whoever. if you constantly need to generate a download, yes i can see the need for signing, but what am i missing?

from remotely.