-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Allow code self-signed certificates with user approve #424
Comments
Certificates are a problematic issue since some developers have created vulnerabilities with trusted root certificates in the past, e.g. Lenovo Superfish and Sennheiser HeadSetup. I believe you're strictly speaking about code signing certificates instead of web server certificates though. Is that assumption correct? |
This is related to #498 . If we want to run our own internal repository then we need the ability to trust apps from the internal repository, self signed or not signed at all. There should be some clear warnings when adding a trusted repository. |
Agreed. Certificates are great for the end user ensuring they're installing what they want to install, however, there is a huge list of softwares which cannot be added to the repository now because the developers or author simply don't care about its inclusion into the repository. For the average user to submit a software to the repository, they would need to purchase a code signing key for between $60-500/yr just to add software to the community repository. Not really an amazing option. Microsoft could launch a trusted user program where developers can apply, authenticate, and identify, and then Microsoft could endorse their self signed keys, perhaps? A terribly difficult setup, but 🤷. |
Please do not do this. While it may be the case that this helps a few, it opens a huge security hole that threat actors WILL employ. It runs a coach and horses around corporate security policies- with no apparent way to block it. And frankly if any publisher cannot afford a public signing key, yet expects one to load their stuff, just say no. If this is to be implemented, I would simply ban, and advise my clients to ban, the use of winger totally. Imho this is a bad idea. |
Then even after 34 years in computing, Microsoft has yet again developed another completely useless technology. A product like this cannot and will not survive without community support. If someone wants to take the time to add software they care about to a repository for the benefit of all, it should absolutely be encouraged when it can be done in a secure way. Code signing keys simply aren't the way to go. Neither is relying on publishers to also publish to IMO this entire deployment is nothing more than a way for Microsoft to push the Microsoft store in a new way to attempt to capitalize on it and to safe guard losing users to WSL/Linux in general. You can theorize about which attack vectors can be used against users, but the fact remains that the AUR, and other repositories have been used successfully for decades due to the lack of Microsoft sponsored software. There are even third party CLI application managers and installers for Windows such as Chocolatey and Scoop. Which are entirely successful and reasonably secure which also accept user submissions. To say it can't be done securely is frankly bull-crap. |
I'm beyond frustrated with this project. Now I realize the glaring flaws with msix. The first thing is the signign issue. Good fine, make sure stuff is signed ot make it secure, so how do I sign my How many steps do we want to stump / allow for contribution? Is fast iteration unheard of? And of course, on top of all of this what I'm reading here is that not even signed certifacates is good enough for In it's current state at best winget matches the very hacky implimentation of Chocolatey, at worst it falls behind and may If you're that worried about security, how about you introduce the concept of local packages. The only secure machine is the one that's unplugged and thrown in a fire. Don't compromise on usability because of security. |
Installers needing administrator access isnt the fault of the package manager, more the package itself. There is no reason most installers request admin, other than the fact that they default to installing to the whole box and have no option for user-only. |
There are often good reasons why an installer needs elevated permissions, so this comment might be a little unfair. It might be installing code into protected folders or modifying protected parts of the registry. Both would be just fine if the installer runs elevated but not otherwise. And then there is inertia (our installers have always worked this way). I think winget has to cater for the existing landscape - with loads of different approaches the team kind of has to follow. Maybe, one day MSIX becomes the next defacto standard packaging format with awesome benefits. But until the rapture, winget needs to handle things like certs and elevation. I suppose this boils down to the difference between a very cool power toy for developers to get some stuff onto their machine vs an Enterprise managed cross-platform package management solution. Self-signed certs are great for development and developers. It enables them to test things without needing a public cert - I do this all the time. But if the developer then wishes to publish the solution to a public repository, IMHO,. the cost of the cert is all part of the cost of doing business. With all that said, this proposal is about a year old. There have been numerous arguments for/against. I think we are in danger of just repeating ourselves. Can the team take a view on this: either by saying that yes, this is something the team wants to do (and assigns it to a milestone), or by formally saying no. |
Ok yes, the comment about elevated privillages was a little unfair, its a little more complex than that. I think, a package manager comes with the stigma that it should be accessible so people can share their software easilly, It seems like a lot of unnececary friction that is likely to reduce the usefulness of the software, |
This is possibly one of the most useful tools that Microsoft has designed in the past 10 years other than the new updated Terminal and I don't know of anyone at all that uses it, or even so much as speaks of it. It's not social software. No-one is going to use it. If I have to go to the internet to download application installers for my favorite software anyways, then why use this tool at all? You're essentially installing an application that manages some of your applications.... That's not a good use case. As it stands, It's just not competitive by any standard whatsoever. |
@Mallchad installing with a local manifest is a supported scenario: Private repositories are also supported via REST API. We have provided a reference implementation. |
@zQueal how are you defining "application installer"? There are over 1,900 packages (unique "PackageIdentifier") in the community repository today. I'm not sure a package manager is really targeted as being a "social tool". The initial set of use cases were primarily related to improving developer productivity. The "core" functionality for install, upgrade, export, import, and uninstall have been implemented. The goal is for these to work with any package on Windows. Clearly we have more work to do. Most of the current work is around improving how manifests map to Apps in "Add / Remove Programs (ARP)". The initial work to support dependencies is in progress. We've also heard from several IT Professionals so the work for native PowerShell has moved up in priority as well. |
I'll look into the private repositories when I get a chance, I'd be interesting to how it behaves with package signing. |
Looks as if each version number is a unique package indenter, so I'm not sure if this is meant to be intentionally misrepresentative or not, but it certainly is misrepresentative.
Winget seems to offer 85 unique softwares to install from what I can tell. |
The manifests are located in the packages repository.
|
I have now been caught out by this issue! Our org certificate (Kiwix) expired yesterday, and suddenly all my UWP packages are now uninstallable from winget, even those that were submitted prior to the expiry. This seems very problematic... The packages that we release via the Microsoft Store are still working because the Store provides its own code signing, but since UWP packages in winget need to be sideloadable, we signed these with the now expired org certificate. Is there another solution that would prevent this from happening? While Kiwix is sorting out a new certificate, I expect that the new one will not fix the previous packages uploaded to winget, and I'll have to resubmit (I think) each of the most current packages (three apps). I don't know if there is anything I can do about the previous packages. I can't re-build them because the code they were built from is now obsolete, and I'm not sure it's possible to "re-sign" previously signed packages without rebuilding. This makes the concept of winget being a proper historical archive a bit problematic... @denelon do you have any advice? |
@Jaifroid did you sign with timestamp? Any program signed with timestamp will not fail when the certificate expires because the OS can validate that the cert was valid at the time of signature. If winget is expiring timestamped signatures then that would be a major bug affecting all software, https://comodosslstore.com/resources/how-to-avoid-code-signing-certificate-expired-issues/ |
@A9G-Data-Droid I have to confess I merely imported our org certificate into Visual Studio, and it took care of the rest. Clearly I needed to have looked into the options more carefully... But I think the broader issue (i.e. this issue) still stands. Thanks for the tip about timestamp. I'd have thought it ought to be the default in IDEs... But nothing is ever that simple. |
@Jaifroid, yeah it can't be defaulted because it needs a timestamp server to sign with you. Microsoft could provide one by default and tell you that you need to turn it on. There might be anti-trust reasons why they can't. I would use the timestamp server of the company who sold the certificate. |
I've been doing some research, and timestamping AppxBundle is not easy. Guess what, SignTool doesn't support doing so! Fiendishly complicated blog post about it here: https://blog.jayway.com/2017/01/16/time-stamping-appx-packages/ Which kind of underlines the need for WinGet to provide some kind of repo-side signing just like the Microsoft Store does. |
@Jaifroid I'll look into some options for what we can detect in terms of checking to see if a .appxbundle is signed with timestamp. If it's something we can detect in validation, at least we could produce a warning in the validation pipeline output. |
Hi @Jaifroid It should just be an extra parameter(/t for timestamp server) to Signtool to get appxbundle signed with timestamp signtool sign /a /v /fd sha256 /f <Path to signing cert> /t <Timestamp Server Url> test.appxbundle Thanks |
@yao-msft The thing is, I compile my appxbundles with Visual Studio, and because the app is html/js this has to be VS2017. VS2107, AFAIK, has no way to add the timestamp. However, I will look in to adding it as an extra build step by re-signing the bundles with signtool. |
@zQueal this is completely untrue if you actually spent your time using scoop and winget and relied on them. I have seen this online so many times and people always miss the point and think one has weed out the other. Fundamentally, they both are very different and solve two different problems but need each other because they both can't do each others job. Firstly, Scoop is meant for portable apps and to use them from the shell directly after installing it, like a unix app. There are lot of Windows apps(and many of them command line) that are distributed as portable exes. scoop will shim them to its shims directory automatically. It can also install fonts. But scoop is very bad at managing installers and apps that register themselves to Windows appearing in the Programs and Features list. Or apps that update themselves automatically. For example VCRedist can be installed from scoop, but uninstalling it from Programs and Features will not uninstall it from scoop. scoop can't manage apps that automatically update themselves or register themselves to Windows and can be managed from Programs and Features. Winget is meant for apps that come with a installer and can be managed by "Programs and Features". It even uses the ProductCode to uninstall an app, the string that identifies the app in the registry and is used by "Programs and Features" to uninstall your app(or you can use msiexec with the ProductCode to uninstall the app from Command Line. Infact winget can uninstall anything that has a ProductCode even if it is not in the winget-pkgs and I use both scoop and winget, and never understood discussions like this around how one is better than the other(even Ash258 understands the differences, and you will know him if you used scoop and followed the scoop-project). Everything that can be fully managed by scoop, I install them from scoop. But anything that is registered to "Programs and Features", should be installed from Winget. This why I am puzzled by why scoop-nonportable is an official bucket. In my opinion, scoop should only contain portable apps that it can manage in its official buckets.
Thats such a terrible take on the subject. winget is an essential tool for windows that finally did something that many of us were wishing to see on a package manager for windows. If they actually turn Windows Store into a GUI for winget I am all for it, don't see the issue with that(or like this app, even better if they add Scoop to it since winget will never come close to it for managing portable apps). And don't you dare mention Chocolatey as the better tool. Its full of outdated packages that rely on the maintainers whims to get updated(which is the first person who uploaded it to Chocolatey), confusing manifest-spec based on nuget and certain features behind a paywall. People love mentioning Keivan Beigi whose AppGet inspired winget(heck AppGet itself was full of outdated manifests and could neither uninstall nor update apps, it was nice concept that winget turned into a functioning product), but never seen anyone mention his rants about Chocolatey's issues. Chocolatey is inferior to scoop for portable apps and inferior to Windows when installing apps with an installer. |
lol
lol
lol
lol
lol amazing how we've been without winget for 35 years and have gotten along just fine considering winget is essential.
lmao The sheer ridiculousness of your reply is pretty stunning. Winget is a windows package manager built by Microsoft to be apart of the operating system. Scoop is a CLI application installer that's just another application package on your system. The lack of perspective here is amazing. Especially considering all of your arguments which are 'pro' winget pretty much empirically support my major gripe with it to begin with;
|
Love how you are not able to provide any rebuttal other than spamming lol. The only similarity between scoop and winget is that they install apps from the command line, like any other package manager. This is the first time I am hearing such a take, particularly from someone who probably never used scoop. I also love how you mention the community repo of aur and then praise Chocolatey which is completely opposite and it's almost impossible to contribute to a package abandoned by it's maintainer. I guess someone told you how Chocolatey is some amazing package manager for Windows but forgot to tell you about the mess known as its nuspec manifests. After I switched to scoop I never looked back at Chocolatey. And for the record I hated Chocolatey before winget was a thing.
And for 35 years we have been downloading binaries from the web after googling them instead being able to comfortably use the command line.
Whether it is made by Microsoft has nothing to do with how I judge a product(otherwise I would not be using Windows in the first place). winget is the best tool to manage non-portable apps.
I mentioned good points of both scoop and winget. Winget is good for apps where you have to use an installer, scoop is good for portable apps(try being a firefox user only through scoop), I even linked to a very popular scoop manitainer who said the exact same thing. I have added packages to scoop(and even some to winget) and maintain my own scoop bucket, and I use both scoop and winget. |
I see benefits to all the package managers I've looked at and worked with. Each of them was designed to solve the problem of managing software from a slightly different perspective and with slightly different use cases. Each of them has slightly different goals and approaches. There may not be a "one best option" in this space. I've often suggested to users that they should use the tool that solves their particular needs. We're just trying to provide a native solution that supports meeting software developers where they are. We have certain unique constraints with respect to providing a solution that is native to Windows. Those constraints add a bit of complexity that we have to deal with and we're learning about the various edge cases and classes of problems unique to our constraints. There are many different package managers. Everyone is welcome to have an opinion, and to use the tool that meets their needs. Let's just try to keep the discussion civil, and if this needs further discussion, please create a new discussion so we're respecting the (e-mail inboxes) users who are looking at this issue related to code with self-signed certificates. |
Description of the new feature/enhancement
Right now there is no way to install UWP or packaged side-loaded application without any certificate. However It is possible to distribute application with self-signed certificate, which should be manually installed by user (MSIX/APPX doesn't support it unfortunately).
WinGet could solve that problem with providing ability to install certificate (or allow unsigned packages at all) with additional user approve.
Cases when developer distribute app with self-signed certificate:
Proposed technical implementation details (optional)
Add SelfSignedCertificate property per Installers' element in manifest.
When user install package with self-signed certificate, winget will ask user confirmation, that he trust specific publisher, and certificate can be installed as trusted by winget.
Other notes
The text was updated successfully, but these errors were encountered: