Extend Authenticode signatures to more (all) Gpg4win binaries and libraries
Open, NormalPublic
Actions

Assigned To

None

Authored By

	bernhard
	Jan 31 2022, 10:49 AM

Description

If an organisation requires all binary code on a windows installation to be verified,
they can make it mandatory that only signed dlls or executable are run by Windows.

Thus it is an advantage if all Gpg4win binary code object are signed with Authenticode.
(A workaround maybe Filehash based policies.)

This is related to T2227 where signing of GpgOL was wished for.

details

Some binary objects are already signed like

C:\Program Files (x86)\GnuPG\bin\zlib1.dll
C:\Program Files (x86)\GnuPG\bin\scdaemon.exe

another 125 files in Gpg4win 4.0.0 are not signed, (looked for with Get-AuthenticodeSignature) like

"C:\Program Files (x86)\Gpg4win\bin\md5sum.exe","NotSigned","None",,
"C:\Program Files (x86)\Gpg4win\bin\libwinpthread-1.dll","NotSigned","None",,

Analysis

Would need to be included into the signing process of the packageing,
so it is done each time.

The principal mechanism should be in place (using Windows openssh capabilities), if I've understood @werner correctly.

Revisions and Commits

rW Gpg4win
	rW6a738876e5c2 Also sign additional files for NSIS package

Related Objects

Mentioned Here: T2227: Sign GpgOL to support group deployments

Event Timeline

bernhard created this task.Jan 31 2022, 10:49 AM

• werner triaged this task as Normal priority.Jan 31 2022, 12:42 PM

• werner added a project: Feature Request.

aheinecke added a commit: rW6a738876e5c2: Also sign additional files for NSIS package.Feb 1 2022, 1:35 PM