
Windows gifski.exe with a digital signature - ronjouch
https://github.com/ImageOptim/gifski/releases/tag/0.8.3
======
pornel
That's me!

I was incredibly salty about this. I didn't name the CA, because they're
actually nice to have reduced price for Open Source projects, but Microsoft
really needs to drag the whole process into the 21st century.

The process and infrastructure reminds me very much of TLS before Let's
Encrypt. If this is something that every developer needs to do for every exe,
it can't be like getting an EV certificate for a Netscape Server. I thought
Apple's often-buggy signing was bad, but at least they've tried to make it a
one checkbox paid for in a straightforward transaction.

I would have signed with SHA-2, which for inexplicable reason is not the
default despite deprecation, but my signtool crashed when I enabled it.

~~~
electroly
That CA took you for a ride. My open source Windows projects are signed, too.
No smart card, no PIN when signing, no special software. I did have to provide
some identity information and a photo, but identity verification is the
service that CAs are expected to perform here. You would have had a better
time with a different CA.

~~~
caseymarquis
There have been recent changes in Microsoft's policy which now require a
physical device to be used for signing. It's a giant pain. They alluded to
cloud based services for signing, but other than Symantec's Enterprise
offering (no listed price on their site), this doesn't really exist. I think
MS needs to step up and provide a simple cloud based signing service. They
should have waited to do this before forcing these changes.

~~~
Boulth
That's not correct. Smart cards are required only by EV Code Signing certs.
This is not it, this is regular code signing cert. And there is no reason to
panic. While the author sees warnings now it's because the cert is fresh, it
will gain reputation over time and be trustworthy.

Just remember to timestamp while you sign!

~~~
caseymarquis
Everything I've read hasn't differentiated. I can't seem to track down the
official MS policy on my phone. Our certs are EV (need to sign drivers), so my
experience is limited to EV certs.

------
mnkypete
This alert would not show if you used SHA256 instead of SHA1, which was
deprecated: [https://www.globalsign.com/en/blog/microsoft-announces-
updat...](https://www.globalsign.com/en/blog/microsoft-announces-updates-
sha-1-code-signing-policy/)

EV certs immediately gain trust:
[https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-
sma...](https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-
extended-validation-ev-code-signing-certificates/)

~~~
slededit
They aren't sufficient to get rid of the slanderous message on their own -
even with an EV. You need to have a bit of volume first. Makes interacting
with your first few customers lots of fun.

~~~
mnkypete
That's not true though. We have very little volume installs and since the EV,
there has has not been one of these messages..

~~~
slededit
I've had differing experiences. Note that if you've been distributing before
you got the cert part of that rep will carry over as its also a function of
the exe signature.

~~~
mnkypete
I would check if something in the signing process is going wrong, refer to
this (very long) SO thread:
[https://security.stackexchange.com/questions/109629/deprecat...](https://security.stackexchange.com/questions/109629/deprecation-
of-sha1-code-signing-certificates-on-windows/113114#113114)

We actually switched certificates (from StartCom to Globalsign) and the
signing was wrong at first, so the message kept showing. When we fixed it, it
went away immediately, even though certificate and author name changed...

Here's the article:[https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-
sma...](https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-
extended-validation-ev-code-signing-certificates/)

"Programs signed by an EV code signing certificate can immediately establish
reputation with SmartScreen reputation services even if no prior reputation
exists for that file or publisher."

------
BugsJustFindMe
This hits me solidly in the feels.

Code signing certificates are a great idea if you're a company who gets to
charge me hundreds of dollars per year to say that I am who I say I am. Code
signing doesn't seem so great from my perspective, because I don't want to
have to pay hundreds of dollars per year to a cartel engaging in a protection
racket. Unsigned code warnings are nothing more than them saying, "Gosh, it
sure would be a shame if we scared away potential users (wink wink)." If the
certificates were based on inspection of the actual source code and building
the installer inside a trusted environment, that would be one thing, but that
isn't how they get assigned. Certificates are assigned based on whether or not
I want to give the trust cartel a lot of money. Fuck that.

~~~
wolfgke
> Code signing certificates are a great idea if you're a company who gets to
> charge me hundreds of dollars per year to say that I am who I say I am. Code
> signing doesn't seem so great from my perspective, because I don't want to
> have to pay hundreds of dollars per year to a cartel engaging in a
> protection racket.

An interesting solution could be that Windows users could get the ability to
add additional root certificates for application sign keys to Windows
installations.

~~~
will4274
This already exists.

------
badsectoracula
How much i hate this error message. "Windows protected your PC" \- no, it
didn't, it just assumed there would be something to protect from because it
was unknown. It is pure scaremongering.

~~~
ocdtrekkie
The average Windows user will never/should never run a program SmartScreen
doesn't know about. Everyone else knows how to vet the app they're using
themselves.

For your senior citizen browsing the web and clicking things, this dialog
saves people. More often than you'd think.

~~~
seba_dos1
The average Windows user just learned how to ignore this dialog and click
through it. Especially gamers, downloading unsigned indies from stores like
itch.io.

~~~
ocdtrekkie
No, I get calls from people about Windows update wanting to restart and asking
me if it's okay to let it. You don't know what an average user looks like.

~~~
seba_dos1
That's below average user, they generate most of the calls like that.

Looking around schools is a pretty good way to see what average user might
look like.

~~~
ocdtrekkie
The environments I work in are pretty analogous with schools in terms of what
the environment and userbase looks like.

------
titanix2
This alert is so annoying and stupid it hurts. I had it too when running one
of my own program. I guess this is part of MS strategy: FUDing traditional
applications in a desperate attempt to get people to use their store. Except
the store won't become attractive anytime soon by alienating developers.

~~~
DaiPlusPlus
The warning goes away for "widely used" binaries.

I maintain a desktop application (with MSI installer) for a niche industry
with a few hundred users and for the first few weeks they had the scary red
warning, but after then they started seeing the blue, non-scary pop-up, even
for new binaries provided they're signed with the same certificate. We have a
Comodo code-signing cert (non-EV though) which costs ~$70/yr through Tucows
(remember them?).

~~~
jenscow
So what gets "trusted"? The certificate, or the publisher?

------
me1337
as a malware developer who used to work for government ( not usa ofc ) we had
our malware signed genuinly with digital certificate ( we bought using fake
company ) so digitial certificate doesn't protect at all!

~~~
azinman2
Can you tell us more?

------
mrguyorama
As someone who enjoys the idea of writing stupid programs for my own use,
occasionally even doing dumb things to the kernel, the games I have to play to
work with the Software I paid for is disheartening. Yes, yes, if I screw up a
kernel mode driver while toying around with faking USB input, I could brick my
computer forever, but since I've already found my way to the driver SDK, and
decided to continue, isn't that proof enough of willingness to take the risk?

~~~
freeone3000
Use a self-signed cert and add it to your own root trust store. That's the
sign you trust yourself enough to take that risk :)

------
codetrotter
That's cool I guess. So what is gifski? Answered in the project README:
"Highest-quality GIF encoder based on pngquant".

~~~
gpvos
Looks quite impressive actually. I had no idea you could get this kind of
quality out of a GIF.

------
z3t4
Paying thousands of dollars per year just so that users can run your free
software is ludicrous. Code signing does nothing but teaching users to ignore
security errors. Nothing is stopping bad actors from signing executables.
Platforms are too lazy by putting the burden on the developer. Why not let
users download the apps directly from the publisher/developer ? I guess that
would make it harder for the platform to leech on the developers, and gate-
keep their users.

~~~
freeone3000
It took a legitimate actor six months as he underwent EV certification. Even
if the primary goal didn't get met, there's still the secondary goal of having
problematic publishers officially blocked by cert revocation.

Also, users DO get the app from the publisher in this case. Windows provides
SmartScreen, the developer provided the binary and signature (and was on his
own as to how to get it)

~~~
mdip
It took me about 3 months, but if I'm being honest -- once I got off my rump
and actually gathered all of the nonsense together to get my application
processed, the whole thing took about a week.

The trickiest part was explaining to the 60-year-old bank teller why I needed
all of these documents notarized and what they were for. I guess that's the
one protection against forgery in this case -- notaries breaking the rules are
dealt with pretty harshly where I live. They called me several times and her
twice, but once that was done, I got an e-mail and everything was taken care
of.

------
sp332
The security theater is just to shift liability. They don't care if the
documents are fake, they just want the fraud to be plausibly your fault
instead of theirs.

------
zwetan
> Install and configure weirdo bespoke software for the smart card. It opens
> an SSH-server-hanging popup asking for a PIN, so I can't have headless
> automatic builds.

You can automate this with scsigntool.exe check out
[https://www.mgtek.com/smartcard](https://www.mgtek.com/smartcard)

but yeah doing all this to publish signed exe under Windows is a PITA

------
bb88
This is really terrible. No wonder no one wants to develop open source
software on windows anymore.

~~~
pornel
To be honest, Microsoft's C compiler was the reason I didn't support Windows
before (for MSVC the 1999 C standard is still too new). I've only started
making Windows executables after switching to Rust.

~~~
pjmlp
For MSFT C use cases have been long replaced by C++ and the compiler is called
Visual _C++_.

They support C11 to the extent required by ANSI C++17.

For anything else, the offcial answer is to use clang or gcc.

~~~
nurettin
Technically, it is ISO/IEC C++17 (14882) with no ANSI counterpart.

~~~
pjmlp
Did ANSI stop rectifying the ISO editions?

~~~
nurettin
They should still be in wg21, but that doesn't change the title of the
document.

------
kaivi
I've recently paid for a code signing cert from Comodo, and I'm still stuck in
the process.

 _In order to verify your company phone number, it has be shown in any of the
links like : (www.dnb.com) or (www.hoovers.com) including local /national
registration agencies and reputable third party databases.. So please update
the Company name,address and Phone number in any one of the above web site._

My company is registered in Norway, and having the company's email and domain
listed in the national company registry does not help. I'm currently in SE
Asia, and I have to go back to to this:

 _[...] you can send an attestation letter signed by your attorney, Certified
Public Accountant or Latin Notary (where legally recognized) verifying the
telephone number. You can download sample text for the letter [...]_

We need Let's Encrypt for code signing. But how can we automate identity
validation? Verify the e-mail address or phone number with a national
registry, where possible?

~~~
SyneRyder
I switched away from Comodo because of the Dun And Bradstreet requirement, and
I didn't really want to support Comodo anyway after some of the shady stuff
they've done.

GlobalSign were able to help me, they were a bit more expensive but _vastly_
better support than Comodo. Super friendly phone & email support. I did need
to get a Yellow Pages listing for my business for them to verify me, but
Yellow Pages offer a free online listing tier in Australia. You might be able
to ask for a discount if their prices are a bit too high for you & you're
switching from Comodo.

If you must have a Comodo cert, you could try buying through K Software
([http://codesigning.ksoftware.net/](http://codesigning.ksoftware.net/)).
Mitchell Vincent is great to deal with, and I used his services for years. He
could probably have helped me deal with Comodo verification, but I was just
too exasperated by Comodo's support drones.

~~~
xnyanta
I've tried obtaining a cert from K Software before and they have the same Dun
And Bradstreet requirement which was impossible to get right so I just
abandoned them.

------
ryandrake
Is this some new Windows thing? Because the last time I booted Windows and
downloaded some pre-built open source Windows program and ran it I got no such
warning.

~~~
21
It's also based on whitelists and popularity counts.

BTW, Chrome has a similar thing, compile an .exe, put it on a personal site,
and try to download it.

~~~
RachelF
As some some anti-virus tools. Norton AV used to "clean up" my build folders
of exes because it was classifying the newly built exe as viruses because they
were not on a whitelist.

~~~
jle17
I used to develop a java app during an internship on a computer I was not even
supposed to be admin on. McAfee AV crapware was randomly deciding that my app
.jar was in need of being removed and there was nothing I could do without
going against company policy except rebuild and hope this time it would go
well.

------
eps
An EV sig on .exe automatically whitelists any it with SmartScreen. It still
shows a message, but a far less scary one.

Edit - hmm, it sounds like the dev got an EV cert though, because regular ones
don’t require storing keys on a token. So I’m not sure what’s going on here...

~~~
mnkypete
I think a proper EV should not show any warning at all. The issue here is
using SHA1 instead of SHA256, not sure why op would do this. SHA1 signing was
deprecated..

[https://www.globalsign.com/en/blog/microsoft-announces-
updat...](https://www.globalsign.com/en/blog/microsoft-announces-updates-
sha-1-code-signing-policy/)

~~~
setquk
Our EV cert shows an alert. Very fucking annoyed if I’m honest. And yes it was
SHA-256.

Several days and a pile of cash fucking around with WIX and signtool for what
exactly?

~~~
mnkypete
Check this Stack overflow thread. For us it was cached SHA1 certificates in
the cert chain:

[https://security.stackexchange.com/questions/109629/deprecat...](https://security.stackexchange.com/questions/109629/deprecation-
of-sha1-code-signing-certificates-on-windows/113114#113114)

But yeah, it's a pain..

~~~
setquk
Thanks for the link. I don't think it was that but I'm going to check it
thoroughly anyway.

------
vortico
I haven't used Windows in 10 years, so I don't understand: What is the point
of signing this binary at all? If users want to run software they know is
legitimate because they can review the source on GitHub and download via HTTPS
from the GitHub page, why do they have this "Windows protection" feature
enabled? Wouldn't a better solution be for the project maintainer to tell the
user to disable it since they're in a position of trust which is at the same
level as distributing a valid binary?

~~~
SmellyGeekBoy
It's enabled by default and AFAIK maybe even impossible to disable.

Every time I have to dabble in the world of Windows these days it really
depresses me. Windows 10 is really a great OS underneath but every new update
seems to add more layers of crap.

------
api
... and people wonder why web apps are conquering the world.

This is how painful it is to ship software for major platforms. Windows is by
far the worst. Apple and Android are a bit better but not really great.

------
grenoire
Hah, plus points for Vogon poetry!

------
jenscow
CA was Certum, according to the certificate

------
djrogers
Wow, and I thought the ‘nightmare’ stories of taking several hours to get code
signing working in XCode were bad. This is ridiculous!

------
garganzol
Let's encrypt for code. Tie a cert to domain. Problem solved. Overall security
improved.

------
ninjakeyboard
After reading through the comments I realize I do not miss windows.

------
asasas2321323
You can just bring you application into Windows Store and it will be "Trusted
Windows Store App". They support command line apps too.

------
r1ch
Not really sure what this is trying to point out. It's hardly the fault of
Windows or the CA if he signs his code with SHA1.

