Package code signing about notepad-plus-plus HOT 29 CLOSED

Just rechecked with current NPP - works like a charm. One additional request: is it possible to include the Plugin NppAdminAccess.exe (Extension "SaveAsAdmin") and sign this executable, too - or even better: include the code parts and replace this message box (as the current "included procedure" will loose any changes and the track of the opened file)?

---------------------------
Save failed
---------------------------
The file cannot be saved and it may be protected.
Do you want to launch Notepad++ in Administrator mode?
---------------------------
Yes   No   
---------------------------

from notepad-plus-plus.

Despite of tricky registration and certificate request process (sometimes website switches to Polish) and assurance requirement, the CA is very nice. And the only authority that offers free certificates for open source projects, as far as I know.

from notepad-plus-plus.

Just updated npp and was prompted with the Unkown Origin warning again.
I can recommend certum, too.

After receiving the certificate (needs 2-48h) it's possible to sign the NPP executable (and all dll's created by the NPP packager, should be a least scintilla), the installer, updater and the uninstaller.

According to http://nsis.sourceforge.net/Signing_an_Uninstaller the Uninstaller have to be created beforehand to sign it when using NSIS with a small hack to the nsis script.

Here are my suggestions for the command lines for signing:

• adjust the nsi-script, use the following as the sign command

!system "signtool.exe sign /f \"$%NPP_CERT%\" /p \"$%NPP_CERT_PWD%\" /d \"Notepad++ Installer\" /du \"https://notepad-plus-plus.org/\" /t \"http://time.certum.pl\" \"$%TEMP%\uninstaller.exe\"" = 0

• adjust packageAll.bat to include the sign part

:: at beginning
IF [%1] == [] (
   echo Parameter 1 for NPP-CERT is missing
   goto :eof
)
set NPP_CERT=%1

IF [%2] == [] (
   echo Parameter 2 for NPP-CERT-PWD is missing
   goto :eof
)
set NPP_CERT_PWD=%2


:: before copying the files sign them (paths are likely to need adjustments)
signtool.exe sign /f "%NPP_CERT%" /p "%NPP_CERT_PWD%" /d "Notepad++" /du "https://notepad-plus-plus.org/" /t "http://time.certum.pl" "notepad++.exe" "NppShell_06.dll" "SciLexer.dll"
signtool.exe sign /f "%NPP_CERT%" /p "%NPP_CERT_PWD%" /d "Generic Updater for Notepad++" /du "https://notepad-plus-plus.org/" /t "http://time.certum.pl" "updater\GUP.exe" "updater\gpup.exe"

:: sign the standard plugins
signtool.exe sign /f "%NPP_CERT%" /p "%NPP_CERT_PWD%" /d "Notepad++ Plugin" /du "https://notepad-plus-plus.org/" /t "http://time.certum.pl" "plugins\*.dll"


:: after makensis command line sign the created installer here
signtool.exe sign /f "%NPP_CERT%" /p "%NPP_CERT_PWD%" /d "Notepad++ Installer" /du "https://notepad-plus-plus.org/" /t "http://time.certum.pl" "npp.*.installer.exe"

You may set NPP_CERT to a constant value on your system, but at least NPP_CERT_PWD should be set from outside ;-)

If there is anything I can help with the signing process: please let me know.

from notepad-plus-plus.

We will probably try to get a cert from certum. No other known provider ?

from notepad-plus-plus.

Unfortunately, no. There are free SSL certificate providers such as StartCom and WoSign, but I'm not aware of anyone but Certum offering free code signing certificates.

from notepad-plus-plus.

This would also be useful, or at least add a Product Name and/or File Description to the installer package. I work for a company that, as a part of out product, help users to implement least privilege, whilst providing elevation to processes as necessary. We can use several identifiers, but for obvious reasons using a filename isn't as secure or reliable as a cert.

At least if there is a consistent file description, we could target the filename, description, product name etc. of the installer file, even if there is no certificate. At the moment, we can't identify it at all as the only piece of info we can use is filename.

If this makes sense....

from notepad-plus-plus.

Is there anything I can help with this issue?

from notepad-plus-plus.

For now I don't think. We have to get a certificate first.

from notepad-plus-plus.

Free certificates are never in chain of trusted certs. To make Windows accept them and not flag as invalid everyone would need to install a intermediate certificate of its issuer. In the end, free certs are just like self-signed ones, useful for indicating the code was not modified, but not trusted by the OS.

The one from Certum (mentioned above) is not free and cost €14. Looks a great price, if yearly.

from notepad-plus-plus.

Certum offers a free certificate for signing FOSS (it's the same like the paid one, just without the fee and with a little more information to give them [about the project, the role of the person requesting the certificate, ...]). Works like a charm.

And yes: certum is in windows root certificate list, therefore the certificates (both paid and free for FOSS) are accepted by the system.

To get a certificate needs ca. 30 minutes work (including manually changing the site language to English from time to time ;-).

To use it needs some time - but as most of the necessary work is already described above I'd guess this needs another 30 minutes. If there's any question I can help.

from notepad-plus-plus.

I am not really used to code signing on Windows. Does it have any known problems with Windows XP (or is it simply ignored) ?

from notepad-plus-plus.

Afaik, the unsupported XP <= SP2 have problem with certificates using newer hash algorithms (SHA2+ instead of SHA1) as there are discussions the older is vulnerable and being rapidly replaced.
Imo, XP is well over it's expiration date.

https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

from notepad-plus-plus.

Did you register for the certificate yet? They just changed the free certificate to only be heavily reduced (now 14 EUR). It's still a reasonable price, you may find someone to sponsor it @megabreakfast the company you work for may do so as it sounds this would save more expensive work time.
The URL is the same as before http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

from notepad-plus-plus.

@GitMensch I'm willing to sponsor it if @milipili is okay with that.

from notepad-plus-plus.

There is a lot of information on code signing, however, If necessary, I'm willing to provide any help with signing the package I can provide.

from notepad-plus-plus.

from notepad-plus-plus.

FWIW, it looks like the DigiCert guys may be willing to offer you a free certificate (https://twitter.com/digicert/status/687680270309441536). Today, DigiCert gives free 3 year certificates to all Microsoft MVPs and it looks like they may be willing to extend that offer to you.

They're a great CA and very straightforward to use. I wrote about my experience here: http://blogs.msdn.com/b/ieinternals/archive/2015/01/28/authenticode-in-2015-signcode-with-certificate-on-etoken.aspx

from notepad-plus-plus.

Well, looks great. @milipili , @donho , what do you think?

from notepad-plus-plus.

@ericlaw1979 Thank you for your prompt! I got contact with DigiCert and they are willing to offer Notepad++ project a Code Signing certificate. We are seeing the procedure for getting the certificate.

@tushevorg @GitMensch I may need your competence for code signing. I'll keep you update. Hopefully v6.9 will be signed with the new certificate!

from notepad-plus-plus.

Great news, waiting for the release.
Let us know if you need help.

from notepad-plus-plus.

@GitMensch I may need your competence for code signing. I'll keep you update. Hopefully v6.9 will be signed with the new certificate!

Sure. Please check the suggested changes at #49 (comment) for a starting point.

looks nice :-)

Simon

from notepad-plus-plus.

@GitMensch I have no code signing experience (yet). And some points are not clear to me:

1. It's certain that I need to sign the installer. Should I sign "notepad++.exe" as well?
2. If I should sign "notepad++.exe", I suppose that I have to sign "GUP.exe" since this program (included in installer) update and elevated privileges the download installer of Notepad++.

What is your suggestions?

EDIT: Just reviewed your suggestions of part of batch file - I'll sign all the binaries in the package.
Thank you!

from notepad-plus-plus.

@GitMensch I don't still figure out how to pass the arguments $%NPP_CERT% and $%NPP_CERT_PWD% into nsis script.
And since:
"Especially under Windows Vista, installer/uninstaller binaries need to be signed to avoid alarming looking dialog boxes with dire warnings about "unknown publishers" etc."
http://nsis.sourceforge.net/Signing_an_Uninstaller
I think that we can safe to say that Vista can be ignored (with my windows 10, I didn't have warning on launching Notepad++ uninstaller).

If you got any idea about that, please let me know.

from notepad-plus-plus.

While Vista can be ignored it's best to sign the uninstaller, too - depending on local settings (including group policies) there can be sometimes problems otherwise.

Keep in mind that the signing does not only provide a mechanism that "Don did this" but also for "and nobody else changed the binaries afterwards". (BTW: It's quite easy to replace uninstallers with bad software ;-))

I don't still figure out how to pass the arguments $%NPP_CERT% and $%NPP_CERT_PWD% into nsis script

It's quite some time before I did this, but my understanding of the process is:

::: setting up the environment vars that NSIS will pick up with the special $%env_var% param
set NPP_CERT=C:/path/to/cert
rem only do so if you're lazy, otherwise enter it each time
rem set NPP_CERT_PWD=YourAwes0m3~Pazsw@rd
set /P NPP_CERT_PWD=Don, give me your password: 

::: run either the script, or the IDE/whatever you use to start the signing later here

Simon

from notepad-plus-plus.

@GitMensch Thank you for the hint.

I did check the page
http://nsis.sourceforge.net/Signing_an_Uninstaller

I do understand the idea of putting uninstaller outside to sign then put it back to the installer.
However, I don't figure out yet how to adapt to Notepad++ current NSIS script.

Any suggestion about that?

from notepad-plus-plus.

FWIW, I don't think you need to bother signing the uninstaller; Windows 7 and later, at least, don't seem to care. The elevation prompt for the uninstaller is from Windows itself. (For instance, Fiddler doesn't sign its uninstaller)

From a security point-of-view, the risk of attack is typically at the point of install; if the application is written to a protected directory like those under \Program Files\ the attacker already needs admin rights to compromise the binary.

from notepad-plus-plus.

Thank you @ericlaw1979 for your answer. I guess I can close this issue then.

from notepad-plus-plus.

@donho: Can you please sign the GPUP.exe that is used with NPP, too?

from notepad-plus-plus.

+1

It would be even better to sign all the executables & DLLs in the distribution.

from notepad-plus-plus.