Page MenuHome GnuPG
Create Task
Maniphest T6618

Check that code signing chain is properly included in our signatures
Closed, InvalidPublic
Actions

Description

Up until version 4.0.3 the installer had a CA signature by GlobalSign Code Signing Root R45. But ever since that version it has vanished and it is only self-signed. What is the cause of this and when can we expect to have the installers have a proper certificate? Right now opening the installer file gives a warning.

Details

Version
4.2.0

Event Timeline

mrt22 created this task.Jul 27 2023, 3:29 AM
aheinecke closed this task as Invalid.Jul 27 2023, 8:33 AM
aheinecke added a subscriber: aheinecke.

Hello,

this is not true. Our installers are always signed, even the included binaries are mostly signed.

Are you sure that you are getting the correct download from https://www.gpg4win.org/ maybe you are downloading a manipulated installer?

mrt22 added a comment.Jul 30 2023, 8:25 AM

OK, had to install the intermediary CA certificate from https://support.globalsign.com/ca-certificates/intermediate-certificates/code-signing-standard-ev-intermediate-certificates . For some reason it was missing from my system.
After installing things look good.

aheinecke reopened this task as Open.Jul 30 2023, 6:38 PM
aheinecke triaged this task as Normal priority.

Oh wait. That shows a Problem in our side. We should include the full chain in our signature. I am renaming your task and will at least investigate if we do or if that maybe changed the last time we updated the certificate. Which might have been after 4.0.3

aheinecke renamed this task from Installer Exe Certificate Self-Signed to Check that code signing chain is properly included in our signatures.Jul 30 2023, 6:39 PM
aheinecke claimed this task.
werner added a subscriber: werner.Dec 14 2023, 2:32 PM

I don't think that it is a good idea to include the chain. Sometimes certificates are re-issued - they are still valid but signed by another top level cert. The certificate also has the URL from where to fetch the intermediates. Let's close this.

aheinecke added a comment.Dec 15 2023, 6:50 AM

I do not think it could cause any harm, if a certificate is re-issued we can adapt and worst case we would ship a very small obsolete intermediate. And it would be just one less of a potential problem when verifying our signature that on this PC at the time the intermediate certificate is not available. Having a self contained chain in the signature is also helpful for scripted verification checks where you would then just need to check that the root CA is trusted and then can check everything offline.
And we take a bit of pride in the fact that we can easily be run on offline systems and there this might actually create a bit of a hassle to get the certificate in there. This would also allow for a more easy verification using osslsigncode itself independent of Microsoft tools.

When we did not include the root certificate at some point in Gpg4win we had the Problem that for users which never had contact with a Globalsign certificate the installer would first show up as "Unknown publisher" and then after a while it would have downloaded the certificate and then it showed up as validly signed.

aheinecke closed this task as Invalid.Dec 15 2023, 8:06 AM

I just rechecked we are actually not including the root certificate but we are including the intermediate certificate. Since there never were any complaints about this let us not change this. The original reporter must have somehow deleted the intermediate certificate or it was with an older certificate from us.