Code signing certificate for Far Manager

[sensboston]

I want to help Far group obtain a code signing certificate for the Far Manager binaries and installation package from CERTUM, I'm ready to donate €28.00. But there are some requirements for this certificate:

• person who create Far Manager builds should have smart card or USB authentication token like this one
• I can send you a money via PayPal only so you should have PayPal account
• you need to create account on CERTUM, and provide 'em documents during certification process (like a photocopy of passport or drivers license etc.)

If you guys interested, please let me know. I believe this such an useful and popular application must have trusted certificate (CERTUM is in the Windows' trusted root certification authorities)

[drweb86-work]

Я был бы за подпись сертификатом тоже как сетапа - от которого винда воротит нос, так и приложенек. USB конечно, выглядит стремновато - есть варианты и без него, но дороже. И готов тоже финансово поучаствовать.

[sensboston]

USB конечно, выглядит стремновато

USB выглядит не "стремновато": у меня такой есть, работает "искаропки", софтвер профессиональный и внятный, и, что самое главное, 100% совместим с CERTUM-ом (только нужно записывать сертификат из под IE или Edge; из под Chrome не работает - но это у CERUM-а на сайте написано).

[alabuzhev]

Guys, thank you for your willing to donate, but it's not about monetary cost. People already offered to pay for the certificate in the past, but nobody in the group wanted to be bothered with accounts, auth tokens, documents etc. only to make UAC or antivirus happy.

[sensboston]

Alex, it's not about "make UAC or antivirus happy" but also extra-level of protection (and - probably - if MS will enforce this policy in the future, it will have a good affect to the whole "Windows PC world" security). However I've got and understood your point; only my 2¢ - whole procedure isn't scary or overcomplicated, I've done it many times in past (and already wrote an article about on habrahabr).

[drweb86-work]

В общем, если вдруг станет интересно. То обращайтесь. Я когда-то подписью занимался как кода так и сетапов.

На билд сервер копируется сертификат и пароль в какую-нибудь папку. Скрипты сборки модифицируются, что мол если есть папка, то делается проход по каждой dll-ке и exe-шнику и оно подписывает сертификатом после. А потом тоже для сетапа делается.

[michalzobec]

Hello guys,

as wrote @sensboston this is not about uac and antivirus. correctly signed executable and dll it's signals to end users your application that is safe. this is important and more easy if we work with infected/hacked OS. signed with correct signature file are clean ... and FAR is free file manager, so I distribute it in corporate networks. actually I must create my own package with my signatures. so if you will sign FAR for future is repackaging for me will be more easy. ;)

[bitraid]

You will need the much more expensive EV code-signing certificate if you want the binary to get automatic "reputation" and not get flagged by Windows SmartScreen. I also don't think it's ~~not~~ worth the trouble for an advanced tool like Far. BTW signed malware do exist, here is a paper on it: http://users.umiacs.umd.edu/~tdumitra/papers/CCS-2017.pdf

[michalzobec]

@bitraid

I describe practice in corporation environment with AppLocker (AppLocker is NOT SmartScreen). I can make my self package, and I can digitally signed it.

I was just trying to explain the reasons why some people wanted it.

You can use my information as you want. It seems to me that you're just looking for reasons not to do it.

[bitraid]

I just expressed my opinion - i have no call on this.

[smalgin]

Is anyone working on this? Will test/donate as needed.

[alexk111]

@alabuzhev Thank you guys for not signing Far Manager! Every code-signed app is a brick into building yet another monopoly solely deciding what apps have the right to exist and what is the price for this right. We already have examples of what happens when developers don't care about requirements set by platforms and silently keep doing everything they tell them to do. First they just warn users about running unsigned apps, then they block unsigned apps and incentivize app distribution thru their store, and after a few more iterations stories about devs begging them to return the app to their store become the norm.

[saelic]

Having a digital signature today should be considered as a norm. It has nothing to do with any monopoly or other corporate-driven shit. It is all about security of users using the program and the availability of such signatures in the case of such critical project like Far - where it is used on critical systems for managing critical data - is a priority. Especially when there are users who want to provide financial support for this.

Firstly, the Authenticode signature (i.e. this attached to the EXE, DLL and MSI files) is good first step - for all of the reasons listed above, plus user have the ability to react when integrity of the file has been violated.

Secondly, in our case where Far is also distributed as archive, the GPG signature should be provided. This is cost-free, all you have to do is grab GPG4Win, generate key, sign file and publish the public key and signature. As I've seen, the commits to the Far repository are "Verified", so it implies that Authors are using GPG right now.

Programs like Total Commander, WinSCP, PuTTY, KeePass or Notepad++ are all digitally signed - all with Authenticode, and the last three also with GPG. I've personally provided support to the Notepad++ project to make GPG signatures available - see https://github.com/notepad-plus-plus/notepad-plus-plus/issues/2524

I can also provide support for you if such is needed.

[smalgin]

I second this. Having your package signed has nothing to do with the App Store of any kind. It is simply a good manners nowadays. Btw since this issue appeared, signing became supported by most CI pipelines.

[alexk111]

Having a digital signature today should be considered as a norm.

Agree.

It has nothing to do with any monopoly or other corporate-driven shit.

It's exactly about "monopoly or other corporate-driven shit" when the code is signed with Authenticode (signatures for the OS provided by the same OS makers). Code signatures should be separated from OS, otherwise it brings tons of shit. Apple is a good example of what happens when OS owner has the monopoly control over the code signing for their OS.

the GPG signature should be provided

This is the only signature needed. It does allow to verify that the code originates from software devs and it doesn't damage the software ecosystem.

[saelic]

It's exactly about "monopoly or other corporate-driven shit" when the code is signed with Authenticode (signatures for the OS provided by the same OS makers). Code signatures should be separated from OS, otherwise it brings tons of shit. Apple is a good example of what happens when OS owner has the monopoly control over the code signing for their OS.

I'm not interested in Apple's toys, so don't know what's happening in that kindergarten. What you probably have in mind is the idea of "App store" which is present in Windows since Windows 8 and I totally agree that having monopoly over which programs are allowed in your system is sick. But it's not what we are discussing here, we are talking about technical aspects.

The mechanism of Authenticode is present in Windows since Windows NT 4.0 (as far as I remember) and it allows developer to attach an digital signature of his choice to the executables. It is possible to add signature signed by any Certificate Authority - even non-public, self-signed - there are no restrictions. As it uses the Windows Certificate Store, it solves the problem of validating public key origin - to the extent which PKI provides. It makes possible to validate file authenticity "out-of-box", without any external software. This is useful both for programs, as well for drivers. It is also useful for AntiVirus programs and mechanisms like AppLocker - as mentioned earlier.

In conclusion, Authenticode should be viewed as built-in "Digital Signature System/Validator" and that's a good thing which should be used - as it is today by overwhelming majority of software publishers.

[drweb86]

In a company where I work its not possible to run anymore unsigned setups. And I found a workaround - download Far as archive and overwrite files above. While it works as a workaround, I still want to bring attention to that.

[sensboston]

Getting back to the issue I've opened almost 5 years ago: fortunately, M$ haven't enforced unsigned apps policy but it's not an issue in that case. I'm using Far Manager daily for my business and custom purposes; I do love that great app but can't support dev team 😢

So, my initial intent wasn't "improve Far Manager customers experience", of course not! I do trust Far Manager team; only what I wanna do, it's provide my support & appreciation (since you don't have any donation site).

I should repeat my proposition: let's Far Manager dev group choose any affordable and comfortable code signing provider (Poland CERTUM, unfortunately, not of this kind now); I'll be glad to donate to Far Group devs for obtaining code signing certificate, or just a few six-packs of good dark & strong beer, or please name it!

I think, many your customers will do the same - you guys are great! Thank you very much for the great software!