Recent

Author Topic: Windows code signing miracle  (Read 342 times)

Nimral

  • Sr. Member
  • ****
  • Posts: 258
  • Keep it simple.
Windows code signing miracle
« on: December 05, 2022, 08:22:16 pm »
Hi all,

a customer of mine has complained that the executables (created using FPC/Lazarus) I have sent him were rejected by Windows (10/11) with a Windows message stating that this application was blocked because it could potentially harm his PC. I read through Microsofts pages about Authenticode code signing, and then eventually bought an "Extended Validation" code signing certificate for my company. It took almost 2 months and a quite bureaucratic validation process, but eventually I received the certificate.

Today I wanted to test it, I compiled a test exe using Lazarus, and put it on an USB stick in a signed and an unsigned version. I verified the signatures using Windows explorer, the signed version does indeed show a valid signature, while the unsinged version does not. Then I brought the USB stick over to a Windows 11 box, freshly installed yesterday using nothing but the defaults.

I expected the target computer to complain in any way, but it did simply and without any warnings execute the exe, the signed version as well as the unsigned version. I did then move the whole thing to a Windows 10 laptop, and got the exact same result: the "Smart" screen will let the unknown and "potentially harmful" program pass, regardless of whether it is signed or not.

I checked the Smart Screen settings on both machines, all protective features are turned on.

Anyone having an idea what's going wrong? Are - just stabbing in the dark - these features tied to whether a Windows machine is part of a corporate network or not? My test computers are all workgroup machines, while my customer has a full blown Active Directory environment.

Thnx, Armin.
Lazarus 2.2.0 on Windows 7,10,11, Debian 10.8 "Buster", macOS Catalina, macOS BigSur, VMWare Workstation 15, Raspberry Pi

KodeZwerg

  • Hero Member
  • *****
  • Posts: 961
  • Fifty shades of code.
    • Delphi & FreePascal
Re: Windows code signing miracle
« Reply #1 on: December 05, 2022, 08:34:19 pm »
When admin has configured gpedit.msc that only signed/signed from is activated, than the admin must have your signing data to add them to the rules.
« Last Edit: Tomorrow at 31:76:97 by KodeZwerg »

KodeZwerg

  • Hero Member
  • *****
  • Posts: 961
  • Fifty shades of code.
    • Delphi & FreePascal
Re: Windows code signing miracle
« Reply #2 on: December 05, 2022, 08:39:15 pm »
If it helps, here is a cool german tutorial video that I always use as reference to such topics around signing and restricting rules for signed.
Code-Signierung - Wie ihr eure Programme und Firma schützen könnt
Your questions answer is shown with beginning at 8:34, just watch the video and see what this guy is doing.
« Last Edit: Tomorrow at 31:76:97 by KodeZwerg »

PascalDragon

  • Hero Member
  • *****
  • Posts: 4880
  • Compiler Developer
Re: Windows code signing miracle
« Reply #3 on: December 05, 2022, 10:56:54 pm »
Today I wanted to test it, I compiled a test exe using Lazarus, and put it on an USB stick in a signed and an unsigned version. I verified the signatures using Windows explorer, the signed version does indeed show a valid signature, while the unsinged version does not. Then I brought the USB stick over to a Windows 11 box, freshly installed yesterday using nothing but the defaults.

I expected the target computer to complain in any way, but it did simply and without any warnings execute the exe, the signed version as well as the unsigned version. I did then move the whole thing to a Windows 10 laptop, and got the exact same result: the "Smart" screen will let the unknown and "potentially harmful" program pass, regardless of whether it is signed or not.

What had blocked your user is the so called Zone Identifier that is added to a file upon download through a browser (if the corresponding browser supports it; the Microsoft ones do as does Firefox, don't know about Chrome or others). This information is located in a so called Alternate Data Stream (ADS) which is essentially a file attached to another file (or directory) and is supported on NTFS and ReFS. You can see them when doing a dir /R in a directory with downloads (use cmd, not PowerShell):

Code: [Select]
c:\Users\Sven\Downloads>dir /R
{ snip }
05.12.2022  22:48        27.707.139 fpc-3.2.2.i386-win32.cross.arm-wince.exe
                                181 fpc-3.2.2.i386-win32.cross.arm-wince.exe:Zone.Identifier:$DATA
{ snip }

You can view the contents by e.g. opening fpc-3.2.2.i386-win32.cross.arm-wince.exe:Zone.Identifier in a text editor (like Notepad++; neither Notepad nor Lazarus support it however ::) ) or by using more < fpc-3.2.2.i386-win32.cross.arm-wince.exe:Zone.Identifier in a cmd shell:

Code: [Select]
c:\Users\Sven\Downloads>more < fpc-3.2.2.i386-win32.cross.arm-wince.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://sourceforge.net/
HostUrl=https://deac-ams.dl.sourceforge.net/project/freepascal/Win32/3.2.2/fpc-3.2.2.i386-win32.cross.arm-wince.exe

You can also see this if you right click on the download and look at the Properties: at the bottom of the General tab you'll see that the file had been downloaded and that you can allow its execution (allowing the execution will simply remove the Zone.Identifier ADS; the same is true when you allow the execution once after it has been blocked by Windows Defender).

Copying the file to e.g. a USB drive formatted with FAT will also remove that Zone.Identifier ADS, but a freshly compiled binary will not have that anyway.

So, to correctly test this you must download the file using a browser. Merely starting it from a USB stick is not enough.

 

TinyPortal © 2005-2018