Page MenuHomePhabricator

Add a publisher certificate for Windows binaries
Open, LowestPublic

Description

What is wrong


Window 1

Window 2

Window 3
There is no publisher (Swedish: Utgivare) designated when installing Huggle. It says Unknown (Swedish: Okänd) This is causing Windows SmartScreen (or whatever it is called) to try to put up a fight when installing this file.

How to fix

Resources

Event Timeline

Josve05a assigned this task to Petrb.
Josve05a raised the priority of this task from to Needs Triage.
Josve05a updated the task description. (Show Details)
Josve05a added a project: Huggle.
Josve05a added a subscriber: Josve05a.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 10 2015, 10:38 PM
Josve05a added a comment.EditedJul 10 2015, 11:00 PM

We need a signing certificate (SLL?) for this, InstantSSL costs $179 / year. We could apply for grants from WMF and local chapters. I was also linked to https://en.sklep.unizeto.pl/data-safety/code-signing-certificates/open-source-code-signing.html which is for open source, and is only €14.

Josve05a updated the task description. (Show Details)Jul 10 2015, 11:08 PM
Josve05a set Security to None.

If you're willing to wait until September, Let's Encrypt will give you certificates for free.

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJul 11 2015, 4:41 PM
Josve05a moved this task from Backlog to Need discussion on the Huggle board.Jul 12 2015, 9:02 PM
Reedy added a subscriber: Reedy.Jul 17 2015, 12:19 AM

If you're willing to wait until September, Let's Encrypt will give you certificates for free.

For code signing?

Petrb triaged this task as Lowest priority.Jul 17 2015, 7:38 AM
Petrb added a comment.Jul 17 2015, 7:41 AM

Huggle is open source, both Microsoft and Apple are enforcing weird policies that are basically just forcing developers to pay huge money either directly to MS or Apple just so that they can publish the software "right way". For same reason huggle isn't on apple market. I don't really see a point in having to pay money in order to distribute free software to others. Applying for a grant, so that I could take money from people who supported wikimedia as a free movement and give these money to huge corporations who are draining money from everyone, including freeware developers doesn't look as a good idea to me. Should there be a free service that provides this, we can use it, but until then, this isn't anything that can be easily solved.

For code signing?

I'm not sure - I've never had to set up a certificate for anything yet. If it's not obvious from the website, then probably not.

Petrb added a comment.Jul 17 2015, 2:57 PM

Code signing usually works in the way that you have a public and private keys (or certificates), distribute the public key to a key server and sign the binary packages with the private one, so that it can be verified that binary package really comes from you and not some hacker who did something evil.

You don't really need a certificate from certificate authority for this, there is absolutely no point in that as long as there is some sort of certificate server you can upload your public key to. For example both debian and ubuntu allow signing with certificates you create yourself on your pc. It's just Micro$$oft that requires commercial certificates that cost money. Both are same effective just the later is expensive.

Huggle packages for ubuntu are signed and it works. With a certificate that is located on our build server and which I freely generated there. If Microsoft can't do this, it's their problem.

If you're willing to wait until September, Let's Encrypt will give you certificates for free.

Let's encrypt is just for website SSL certs.

Huggle packages for ubuntu are signed and it works. With a certificate that is located on our build server and which I freely generated there. If Microsoft can't do this, it's their problem.

Yes, if and only if the user installs your public key. The same is of course possible in Windows, and (as in Linux) requires an administrator to load the key in the key store.

Unizeto used to provide free certificates, but now charges a small (€18) fee. For that fee, they check your identity (so it covers their actual costs). Note that the publisher field would then not be 'Huggle', but e.g. 'Petr Bena - Open Source Developer'.

Restricted Application added a subscriber: Matthewrbowker. · View Herald TranscriptOct 21 2015, 7:47 PM

Let's decline this?

EddieGP closed this task as Declined.Apr 10 2017, 10:39 PM
Petrb reopened this task as Stalled.Apr 12 2017, 11:42 AM

Declining a task doesn't solve it.

We can fix this but only if there is a feasible way to get the key in order to sign the executable. Right now these need to be purchased for money. So unless someone sponsor it, our hands are tied. Or we can wait for public service like letsencrypt to be launched that would allow this for free.

Framawiki renamed this task from Add a publisher to Add a publisher certificate for Windows binaries.Nov 3 2017, 12:50 PM
Petrb changed the task status from Stalled to Open.May 27 2018, 12:11 PM

ToBeFree at enwiki suggested "WMF to pay for it":

@Petrb: Hey, thanks for the quick reply. I saw that answer coming! Emoji u1f60a.svg How about letting the WMF pay it? As far as I know, they're sponsoring admission fees for photography projects, they invest a lot of money to keep all the tools/bots running; why wouldn't they fund a software certificate for a massively useful, widely used tool on multiple Wikipedias including enwiki? ~ ToBeFree (talk) 11:46, 27 May 2018 (UTC)

Honestly, I don't know what our options here are. If it really is possible for WMF to handle this somehow, I probably wouldn't object, but I don't even know where to begin, or who within WMF is responsible for this kind of stuff.

Hilfe @Aklapper :D

Restricted Application added a subscriber: RichSmith. · View Herald TranscriptMay 27 2018, 12:11 PM
Petrb updated the task description. (Show Details)May 27 2018, 12:18 PM
Petrb updated the task description. (Show Details)
ToBeFree awarded a token.EditedMay 27 2018, 12:39 PM
ToBeFree added a subscriber: ToBeFree.

Oh hey, thanks :)

Side note: Let's Encrypt, now that it is actually an active project handing out certificates, does explicitly not offer code signing certificates.

https://community.letsencrypt.org/t/do-you-support-code-signing/370

I think requesting a grant (e.g. through https://meta.wikimedia.org/wiki/Grants:Project/Rapid) is probably the easiest in terms of documented process. Unfortuately rapid grants are closed for another month, but it seems you can still submit a proposal. I would suggest proposing a three year certificate due to the overhead involved.

A lower overhead alternative could be asking your local chapter. Generally local chapters can more easily 'just pay' for these kinds of things. This does require you to have some contacts in the chapter organisation to be efficient.

Petrb added a comment.May 29 2018, 2:12 PM

I think requesting a grant (e.g. through https://meta.wikimedia.org/wiki/Grants:Project/Rapid) is probably the easiest in terms of documented process. Unfortuately rapid grants are closed for another month, but it seems you can still submit a proposal. I would suggest proposing a three year certificate due to the overhead involved.
A lower overhead alternative could be asking your local chapter. Generally local chapters can more easily 'just pay' for these kinds of things. This does require you to have some contacts in the chapter organisation to be efficient.

There is no "local chapter" for Huggle. It's a global tool, primarily originating from English wikipedia. I am myself not a member of any chapter either. If anyone should fund this it should be either WMF or crowd-collected by Huggle users.

Petrb updated the task description. (Show Details)May 29 2018, 2:15 PM
Petrb updated the task description. (Show Details)May 29 2018, 2:21 PM

I found this site which is one of few that actually display the price of signing key: https://www.globalsign.com/en/code-signing-certificate/

It's $600 for 3 years (worse option) or $950 for 3 years (better option), not sure if we need better option, I don't think so. Anyway it seems that be way more expensive than 20EUR

Petrb added a comment.May 29 2018, 2:24 PM

Question is if we really need such a feature if it really is so expensive (and only for 3 years anyway - and only for 1 platform). The money could probably be spent in a better way :/

I found that GoDaddy has them for $509/3 yr (a bit cheaper) - https://www.godaddy.com/web-security/code-signing-certificate or even cheaper with Comodo ($212.50/3 yr) - https://comodosslstore.com/codesigning.aspx Are these options or do we really need a $950 one?

Petrb added a comment.May 29 2018, 7:15 PM

It's important that the company that provides the certificates is already trusted by microsoft, otherwise it would be pointless buying the certificate from them.

The difference on globalsign (which is trusted by microsoft) is that with more expensive option you get "Immediate reputation with Microsoft SmartScreen". Which is maybe the original issue in this task? The screen that say software may be virus is SmartScreen, or not?

I personally see this "security popup" as a very shady business of Microsoft and certificate corporations, the protection provided by certificates is relatively small, the work connected to setup of new certificate is minimal and money charged for this simple service are massive. So I don't really support this very much under these conditions.

If the Huggle community really believes that having the executables signed is important and the community or WMF is willing to (repeatedly) pay for certificate for this amount of money, then I can of course incorporate such certificate into windows binaries, but I am absolutely not willing to put my own money to this. I think $900 can be spent for better stuff than certificate which is only needed during installation of Huggle (and just to hide some annoying popup from MS).

ToBeFree added a comment.EditedJun 6 2018, 2:02 PM

212.50/3yr does not necessarily appear to be excessive to me, but that certificate does not offer "extended validation" (EV).

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

"Standard Code Signing: Provides standard level of identity validation, Requires shorter processing times and lower cost, Can be used for all Hardware Dev Center hardware dashboard services except LSA, and UEFI file signing services. In Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), standard code signing cannot be used for kernel-mode drivers. For more info about these changes, see Code Signing FAQ."

We're not building a kernel-mode antivandalism driver here, so I would have thought that this is sufficient. However, it seems that a "standard" certificate does not necessarily prevent the SmartScreen warning. If I understand correctly what various semi-reliable sources like StackOverflow users say, then only a EV certificate would "guarantee" removing the warning. Using a "standard" code signing certificate appears to start a process called "trust building", showing SmartScreen warnings to users until enough people decided to ignore the warning and continue anyway. Only if "enough" people do that, the warning will disappear for all users. I guess that Huggle will never have "enough" users to be able to make use of this process, and that a "standard" certificate might in the worst case not change our situation at all.

$900 is just crazy.

https://en.wikipedia.org/wiki/Extended_Validation_Certificate#Domain-validated_certificates_were_created_by_CAs_in_the_first_place

Okay. What we need instead, then, is a good, easy-to-understand tutorial with screenshots, explaining how to install Huggle anyway.

Edit: I'm creating a simple 2-screenshot explanation right now, using Inkscape to create "screenshots" that can be freely used.

@Petrb Have you looked for government-issued certificates? My country's government does issue free personal ID certificates to identify electronically to government websites, email signing, etc. Code signing certificates are avalaible (for a fee I think, have not checked). I see some European governments do so as well (some do cost, some others do not). Just an idea. Thanks.