selenium icon indicating copy to clipboard operation
selenium copied to clipboard

Published 20 hours ago • verified publisher icon SeleniumHQ

[🚀 Feature]: Digitally Sign Selenium-manager.exe by the publisher

Open rsingh2023 opened this issue 1 year ago • 13 comments

Feature and motivation

Hi , Some of our application developers are using selenium-manager.exe executable and due to security implications we have to allow this file in AppLocker exclusions. This was added as File Hash however for some reason every moth the file hash is changing where we have to readd the file hash, but this is wasting a lot of time until our IT team is able to pick it up and actions.

Due to inconsistent location of the file path we cant use that and also not an approach our security team wants to take so the only option which would be less painful and also more secure way of doing it is to add the Publisher in the Applocker exclusion however this cant be done as the selenium-manager.exe is not digitally signed by publisher.

Is there any reason why this file is not being signed yet or any plans of implementing this in the near future?

Usage example

This simply allow us to be able to exclude the file in AppLocker policy in more secure way.

rsingh2023 avatar Oct 12 '23 06:10 rsingh2023

@rsingh2023, thank you for creating this issue. We will troubleshoot it as soon as we can.

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

github-actions[bot] avatar Oct 12 '23 06:10 github-actions[bot]

It requires certificates and licenses we don't currently have, but we're looking into it.

The file hash changes with every release because it is different binary with new functionality on every release.

titusfortner avatar Oct 12 '23 09:10 titusfortner

I would also like to have the selenium manager digitally signed. The company I work for is also tightening security policies using AppLocker.

Trigtrig avatar Oct 18 '23 10:10 Trigtrig

@titusfortner is there any workaround this issue while we wait for the fix to be deployed?

vikramtechforall avatar Dec 15 '23 15:12 vikramtechforall

We are working on this. Right now, we are working with SFC (the foundation who owns Selenium) to get a tool to sign the binaries. So it is not all technical, there is some paperwork involved. We will post updates when we have them.

diemol avatar Dec 15 '23 15:12 diemol

any update on this?

HernJer avatar Feb 01 '24 15:02 HernJer

SFC told us a week ago that they have a tool to sign, but they need to finalize some details.

diemol avatar Feb 01 '24 15:02 diemol

was this resolved with v4.18?

ericodland avatar Feb 21 '24 18:02 ericodland

We are still waiting on SFC. @pono do you have any more updates?

diemol avatar Feb 21 '24 20:02 diemol

We are still waiting on SFC. @pono do you have any more updates?

@diemol any updates on this with v4.19?

ericodland avatar Mar 29 '24 13:03 ericodland

@Pono said they already have the hardware piece and it will be sent to someone in the project in the next days. Hopefully in 4.21 we can have it.

diemol avatar Mar 29 '24 13:03 diemol

@diemol Quarantine of malicious file (C:\Users\md.cache\selenium\manager\0.4.21\selenium-manager.exe) failed. I am using Cisco Secure endpoint. I have had no problem until 4.21

mesutDalgic avatar May 20 '24 08:05 mesutDalgic

We are still waiting for the device to sign the binary digitally.

diemol avatar May 20 '24 08:05 diemol