Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows installer is not signed #42

Open
nielsvanvelzen opened this issue Dec 7, 2019 · 13 comments
Open

Windows installer is not signed #42

nielsvanvelzen opened this issue Dec 7, 2019 · 13 comments

Comments

@nielsvanvelzen
Copy link
Member

Describe the bug
The Windows installer is not signed causing Windows to prevent running the installer (unless you click on "Run anyway", which is hidden by default)

To Reproduce

  1. Use Windows (I have Windows 10 1909)
  2. Go to "Windows Security" app
  3. Go to "App & browser control"
  4. Make sure "Check apps and files" is not off
  5. Download & run installer

Note: After accepting it once the warning will not popup again

Expected behavior
Ideally the installer should be signed with a trusted authority so Windows trusts the installer

Logs
No logs yet available

Screenshots
image

System (please complete the following information):

  • OS: Windows 10 1909
  • Browser: -
  • Jellyfin Version: 10.4.3 (same issue on 10.4.2)
  • Installed Plugins: -
  • Reverse proxy: None

Additional context
I think a lot of users that don't have a lot of technical experience that want to use Jellyfin would just not use it after encountering this warning.

@jtc42
Copy link

jtc42 commented Dec 7, 2019

My understanding is that unless you distribute via the Microsoft Store, signing certificates cost a nontrivial amount of money, and even then will only remove this warning after a certain number of installs. Is this correct? I'm having the same issue with a work project, and so far we've found no good alternative to just paying money we don't really have to make a warning go away.

Perhaps this is something for the Open Collective page?

@anthonylavado
Copy link
Member

@jtc42 Could you share any information links you’ve got? My understanding is that yes, it’s $$$$.

@jtc42
Copy link

jtc42 commented Dec 8, 2019

I came across this for an electron app, so I first got information from here: https://www.electron.build/code-signing#windows

Microsoft docs seem to focus on drivers, but it seems to be the same, see: https://docs.microsoft.com/en-gb/windows-hardware/drivers/dashboard/get-a-code-signing-certificate?redirectedfrom=MSDN

An example certificate seller: https://www.digicert.com/code-signing/

@dkanada
Copy link
Member

dkanada commented Dec 8, 2019

@jtc42 is it a one time fee or a licensing thing that would be a yearly cost or something?

@jtc42
Copy link

jtc42 commented Dec 8, 2019

I haven't looked into it for a while, but IIRC they're almost all annual cost.

We found 2 alternative solutions. One, distribute through the app store. The whole process is free, but you do have to contend with extra limitations which may be an issue for Jellyfin. The other option is to distribute through something like Chocolatey.

If anyone knows of a different solution, I'd love to know, as well as it being useful directly to Jellyfin.

@anthonylavado
Copy link
Member

I think there's someone that bundles us in Chocolatey these days, it might be worth setting up an auto-publish of our own at some point.

I looked into the licensing, and the cheapest was something like $366 USD/yr, and that doesn't even completely remove the warning... Suddenly Apple's $99 USD/yr sounds way more reasonable

@anthonylavado
Copy link
Member

anthonylavado commented Jan 4, 2020

So at this point, solving this one costs money. Here's the article I read a while ago:
https://comodosslstore.com/resources/what-is-microsoft-authenticode-code-signing-certificate/

We're easily looking at at least $300/yr, and that's even if we buy three years upfront. At least there are ways to accomplish the signing using Azure DevOps, but then that means moving our custom build process there. Here's some reference on it: https://www.twelve21.io/sign-a-dotnet-core-assembly-in-an-azure-devops-build/

Some more reference: https://mkaz.blog/code/code-signing-a-windows-application/

This item will be on hold until we can come to an agreement internally on it.

Edit: I totally forgot that we currently build the Windows installer for Jellyfin on Azure, so we could in theory do this.

@anthonylavado anthonylavado transferred this issue from jellyfin/jellyfin Nov 23, 2020
@anthonylavado
Copy link
Member

Looking at this again in 2021, it's still not a great situation. Apparently we can get either a reasonably priced individual certificate, or an EV certificate. Both will sign the code, but the individual certificate requires the software to reach an unspecified download threshold before it is trusted. This counter also resets with each release, so every update we issue would require building trust again. Only the EV certificate will bypass the initial trust mechanism.

The EV certificate also requires a hardware key, which means we wouldn't be building in the cloud, which is an issue for us to release easily in a distributed fashion (since we are all remote from each other).

That said, I don't think there's any easy way of bypassing this with our traditional install method. The only thing I could think of is trying to do some sort of "installer client" that is signed, and then that goes and downloads a payload with the next thing to execute. I think this is how Emby handles it right now, and I haven't looked at Plex in a long time (though they've probably ponied up for EV and do something to handle it).

Here's a recent-ish updated page on the whole thing: https://security.stackexchange.com/questions/139347/smart-screen-filter-still-complains-despite-i-signed-the-executable-why

@joshuaboniface
Copy link
Member

That said, I don't think there's any easy way of bypassing this with our traditional install method. The only thing I could think of is trying to do some sort of "installer client" that is signed, and then that goes and downloads a payload with the next thing to execute. I think this is how Emby handles it right now, and I haven't looked at Plex in a long time (though they've probably ponied up for EV and do something to handle it).

This would explain how a lot of modern installers work. Maybe we should do this.

@EraYaN
Copy link
Member

EraYaN commented Mar 11, 2024

You'd think some of the installer vendors have solved this problem and it "should" be fairly easy. I know that for the WiX toolset version 3 this was a build-in feature basically with a bootstrapper that didn't really change and a web repo with some files on it and some hashes, I think you could even sign the hash file. Not sure if someone has solved this for NSIS. Might be worth a look.

@anthonylavado
Copy link
Member

Looking now in 2024, it appears that code signing must now take place with a hardware-based token module, in order to meet changes in rules from the CA/Browser Forum. These took effect in July 2023.

There are some possible solutions using cloud keylocker solutions. Lots of discussion about it in this Electron repo: electron-userland/electron-builder#7605

They mention this particular help doc from DigiCert: https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations/script-integrations/github-integration-ksp.html

I haven't read the Electron issue extensively, but it's worth noting that the DigiCert solution would cost approx. $780 USD/year for the KeyLocker hosted variant, of the OV certificate.

It's worth mentioning that the above comments about reputation still apply. Organization Validation (OV) is cheaper, but requires an unspecified number of installs of a particular application to build trust. Extended Validation is more expensive and requires stricter identity checks, but then gets to bypass part of the reputation build to be trusted by SmartScreen.

If there's a cheaper solution and enough demand, we may consider it. Otherwise no one else, even Apple, charges this much. It's wild.

I'd also like to avoid the headache of building a "bootstrapper" to have a trusted installer process, because then there's an online and offline installer to maintain, as well as likely switching to a new installer tech.

@tbrockman
Copy link

@anthonylavado have you looked into SignPath? I haven't done extensive digging, but it seems like they exempt their fees for approved open-source projects.

@EraYaN
Copy link
Member

EraYaN commented Jun 11, 2024

It might still be easier to have someone recreate the installer in say WiX to use their bootstrapper stuff for example if NSIS doesn't support that. At that point it will be mostly a solved problem even if it is unsigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants
@anthonylavado @EraYaN @nielsvanvelzen @joshuaboniface @jtc42 @tbrockman @dkanada and others