How to manage Signing certificates for multiple locations - visual-studio

I am working for a remote client (They're in US and we're in Canada) and we are developing a Windows client. We are going to have them purchase an EV certificate so we can digitally sign the app.
We've done this in the past with non-EV certificated but from what I've read, EV certificates keys come on a physical USB device. I contacted ComodoSSL to see if we can get more than one as I see there being a big risk (And cost) for shipping the key back and forth. They said that can only issue one.
I will be the only one using the key to sign the app but I don't feel comfortable with the client not having a backup.
I'm sure I'm not the only one to have run into this situation and was looking for some feedback as to how others handle this without purchasing an HSM?

Related

Distributing Windows Application - browser and antivirus problems

We have Windows application (MSI install package), downloadable from our site. The problem is, that browsers and 3rd party antiviruses prevent some users from download an APP. Is there a way to make our MSI package more trustable for browsers and antivirus? Maybe it can be checked and uploaded in some other resource, and downloadable for users from here?
P.S. We use code signing certificate, and Windows store is not a variant for us now.
Reputable anti-virus vendors have a way you can send your installation packages to be "whitelisted". Browsers have their own heuristics and using an EV certificate (more expensive) is supposed to help. Edge also supposedly respects the Defender whitelist.
Ultimately, the more downloads you get, the better your URL's reputation, the better you pass the heuristics.
We've been building and releasing the same application for almost 20 years and AV false positives can still create problems. This is how we do it today:
After each release, we scan our new setup on https://www.virustotal.com/gui/home/upload and if we notice any AV vendors flagging it we reach out to each of them and submit a request for false positive removal. They all have some form or email address where you can contact them.
They usually process these requests in a few days, so no real big problem for our users and doesn't take a lot of time.
Now, with SmartScreen, there is another story. Even if our package was digitally signed for over a decade, 2 years ago when we renewed our certificate Windows flagged our installer for about 2-3 months.
This was an installer with hundreds of thousands if not millions of users in the last decade. In the end, its reputation system got back to normal and stopped flagging it but it was really annoying for our customers.
The solution to this is to buy an EV certificate (confirmed by some of our customers) and then you will get an instant reputation with SmartScreen. This Spring our normal certificate expires and we will go the EV route too.
You can read more about digital signing and EV certs in the following articles:
Why EV Code Signing? EV Code Signing vs. Regular Code Signing
How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting" warning

Is there a way to SmartScreen-whitelist a .exe by Microsoft? (without an EV certificate)

Microsoft SmartScreen, well-known for its message:
Windows Defender SmartScreen prevented an unrecognized app from starting
is useful for end users to avoid malware, but can also harm indie developers because when they distribute binaries: the end users see frightening messages, and that is a problem for the developer's reputation (see someone's comment "My customers often think that I am purveying a virus, malware or something illegitimate and they tell their friends and I lose sales"):
Smart-Screen filter still complains, despite I signed the executable, why?
Even with a paid certificate, if software-release1.0.1.exe is finally whitelisted, when you release software-release1.0.2.exe update, the messages will come again:
Transferring Microsoft SmartScreen reputation to renewed certificate
The only solution seems to be Extended "EV code signing" which can be 300-500$ per year (this fixed fee makes the tax % higher for small indie developers).
Question: is there a way to get a .exe whitelisted immediately (or a few days) for all users - and not only on my own computer - by submitting it to Microsoft for analysis?
I have seen this link: https://www.microsoft.com/en-us/wdsi/filesubmission, has someone been able to use it successfully to avoid further SmartScreen alerts? (it seems that no).
Are there other methods? Such as automatically deploying 100 VMs via an automated script, and let each VM download and install the .exe automatically? But this would probably be from the same IP, then Microsoft will probably increase the reputation counter by +1 instead of +100?
As you said in your question, the first solution for having trusted software is code signing with EV certificate But, another tricky solution is increasing reputation of your software. As Microsoft said here :
Reputation-based URL and app protection
If a URL, a file, an app, or a certificate has an established
reputation, users won't see any warnings. If, however, there's no
reputation, the item is marked as a higher risk and presents a warning
to the user.
So in the last paragraph of your question, you mentioned about creating mass docker containers or virtual machines for increasing trust and reputation. I complete it with a solution for same IP address in each VM or container.
The solution is using TOR as a proxy in all of your VM's or containers.
With using tor you can create proxy which is connected inside TOR network and hide your real IP address in your virtual machines or containers. Tor is free for use and you can connect your nodes to it's network as many as you want and change your IP address frequently. Also it is better to have different version of windows in some of your VM's. Remember before that you must submit your software for malware analysis,

How to sign code in the cloud after the new 2017 rules?

It has come to my attention that code signing certificates are from now on required to be paired with physical tokens.
The Minimum Requirements specify that CAs shall ensure stronger protection for private keys. As such, all Code Signing Certificates, not just Extended Validation level, will require a USB token starting on January 30, 2017. With this, all New and Renewal Standard Code Signing orders will be sent a USB token to store the certificate and protect the private key. Also, all standard Code Signing products except for EV Code Signing will be integrated to one “multi-platform” Code Signing Certificate.
Note: Reissues of existing Code Signing Certificates (issued prior to 30 January 2017) will not require a token right away. However, this is subject to change.
As someone who uses a cloud-only workflow, this raises an obvious concern for me - I cannot just plug this USB token into "the cloud".
Do I understand it right that I will from now on need to set up a separate on-premise code signing process? Or is there some possibility remaining for signing code in the cloud? What are the expectations I should have for working under the new rules?
Based on the article you linked it sounds like you will absolutely need to provide your build system access to a USB key in order to sign your artifacts. As you mention the obvious solution (and probably what Microsoft is attempting to encourage) is to set up an on-premise build system that gets used exclusively for code signing.
From a security point of view this is probably the best option since you could harden that machine both in terms of software but also in terms of hardware (e.g. locked in a closet in your work area). But this might also not be realistic depending how your build system is set up.
Your other option is to use a USB forwarding solution to forward the USB key to your cloud environment. There are a lot of ways to do this and the best one is going to depend on what you're building and on what operating system(s) but here's a rundown of some options:
Linux systems - USB/IP - This is a kernel module and userspace application provided with a good number of Linux distributions (it's a mainline module, but not always included). This lets you take a local USB device and forward it over the network to another Linux machine. I've had pretty good luck with this but setting it up the first time can be a little tricky.
Windows Systems - RemoteFX forwarding over RDP - On newer Windows systems (Windows 10, Server 2012 R2+) Remote Desktop supports USB redirection natively. You can simply forward the USB key through a RDP session. This would require you to remain connected at all times while building though.
Windows Systems - Third Party Software - There are several third party USB forwarding solutions available. For instance this one. Some of these have the advantage of being able to run without requiring an active desktop session.
The gotca with all of these solutions is that if the USB token is designed to actively prevent this (or is somehow otherwise incompatible with forwarding) it may not work. Some license keys for instance will check to make sure the timings to/from the computer are within a certain tolerance for instance. In those cases the added latency from the cloud to your machine would cause the token to not work. It'll all depend on the USB key you get sent.
The whole point of policies like this is to prevent you as the keyholder from accidentally losing control of your key material by giving you something you must physically possess in order to use your key. Cloud build systems are convenient but tend in general to have a much wider security landscape which makes securing keys trickier than on-site systems. It looks like Microsoft and your CA are attempting to prescribe how keys are being handled.

Why is Windows Smart Screen suddenly 'protecting' PC since purchased new certificate

So I had a certificate from Comodo and bought via KSoftware that I use to sign my software so it does not generate a warning when users download it, this has been working fine but the 2 year certificate expired last month. I purchased a new certificate last week and applied to a new version of my application but now when I download it warns me unknown publisher, and wierdly when I click on more info it shows my full address instead of just my company name JThink.
I have looked at my old and new certificate in browser and noticed I had Jthink ltd in old certificate and JThink in new one, would this cause an issue ?
Update
Comodo tell me there is a period of time before Microsoft start accepting new certificates and it would still be a problem even if the company information was identical because the certicate no is different.
Is this true, and what length of timescale are we talking about here ?
You need to just wait some time. Windows collects different data for your new certificate (total downloads count, etc.) and in some near future (depends on downloads rate) it will mark it as white listed (if it's all OK). And all your downloads signed using this new certificate will not be blocked anymore.
The same mechanism applies (as I think) on downloads without certificates at all. Windows collects the file reputation and after some critical amount of "good-experience" downloads it marks the file as OK. The same logic applies to certificates. Thus you do not need to wait anymore if your certificate has a "good reputation".
You need to use Extended Validation Code signing certificate which provides more trusted security certificate for your Windows binary. Regular code signing certificates are not validated by Windows smart screen protection.
I had the similar issue when Windows 10 was released with Windows smart screen protection with more advanced security features.
https://www.digicert.com/code-signing/ev-code-signing.htm

Enterprise account expired - all certificates deleted

I have a client who forgot to pay for their enterprise account and therefore their apps stopped working, as expected.
However, one would think that it should be sufficient to just start paying again to be able to use the apps as before. But as it seems, all certificates in the apple developer portal are now deleted?!
Is this expected behaviour or will they show up after some time again?
As it is now, we will have to rebuild all apps again with new distribution certificates. Is this the solution?
Short answer to your question:
I wouldn't expect the certs to automatically reappear. I recommend opening a support incident with Apple. Since the account was recently renewed, you should have two incidents available.
There's this section of the App Distribution Guide which talks about re-creating deleted certificates but I'm guessing it's more geared toward iTunes distributed apps and circumstances where certificates (private keys) are deleted but not revoked at Apple's CA.
Instead of recompiling your apps, you might be able to instead push out updated Provisioning Profiles and Certs. See below for more details.
Additional info:
It makes sense that Apple would revoke Enterprise certs upon membership expiration since that's the only way they could force apps to stop working. Since Enterprise apps stop working when either the Provisioning Profile or the Certificate expire, Appple can't push out an expired Provisioning Profile, and there's no in-app check for a Profile either (which is why if you delete your Profile in the developer portal, it won't affect any already downloaded/installed apps), which leaves the only other option: revoke the certs. The affected apps stop working once they sync with Apple's CA. Devices without connectivity will continue working until the Profile expires.
It may be possible to remove your certs from the Certificate Revocation List (CRL) but Apple support would be your only likely resource to help with this.
If you're out of options for re-enabling your old certs, you can update the Provisioning Profiles (and I think Certs) and push that out without recompiling all your apps. Also, if you use wildcard App IDs, an update to one app Provisioning Profile will apply to all installed apps that share that App ID.
If your users' devices are managed via MDM, it's possible to push updated provisioning profiles via MDM, and according to this post, via Device Enrollment Program (DEP). I thought I read a while back that you could also update provisioning profiles from a desktop/laptop to a connected device using iTunes - not sure where that is now. I don't know if it's possible to direct users to a link to update the Profile OTA like they would install an app.
I hope this helps in some way. Please let us know what happens - I fear the same could happen to me, whether a cert is deleted by Apple or a haphazard developer.

Resources