💡Digital Signature for cloudflared.exe

[j91321]

Describe the feature you'd like Add digital signature to the precompiled version of cloudflared.exe.

Describe alternatives you've considered I don't believe there are alternatives.

Additional context cloudflared.exe is commonly abused by ransomware groups for tunneling. Often it's also renamed.

Adding digital signature and providing Original Filename field would allow security teams to identify the executable on endpoints (renamed or not) when used by low skilled adversary. Now only comparison with known hashes is possible as can be seen in https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml which can be prone to errors as it needs to be manually kept up-to-date.

It's also common practice by other tools providing similar functionality.

[Cyb3rC3lt]

Agree with the above, this really needs to happen from a cyber security perspective.

[tankerkiller125]

As a note for the Cloudflare team, Microsoft now has Trusted Signing Accounts (Azure) specifically designed for code signing, it's fairly cheap, and designed for being run in CI/CD environments. The certificate is valid for 3 days, and the timestamping is what keeps it valid.

While you may prefer to go with a more traditional code signing certificate and stuff, I also know you guys really like short term certificates with quick expiration ;)