free code signing?

[theoneandonly-vector]

I'm really not sure if this can be used.. as I have zero experience with code-signing.
but maybe this would be a solution:
sigstore.dev

[PathfinderNetworks]

I have zero experience with code signing myself (as I'm not a developer) but would LOVE to see if this would work or could be implemented. Due to all of the antivirus issues as of late I would like try signing my agents and agent installer to see if it would at least help. If I can do it for free even better. At the very least I'd like to start with a free option to at least try and figure out how it all works.

[rallisf1]

Code signing with a self-hosted or free (aka low trust) cert authority won't make the smartscreen warnings go away and that's what most people care about. Even regular paid code signing certs don't fully guarantee smartscreen trust, only EV ones do.

Nonetheless; the cheapest option I could find is https://shop.certum.eu/open-source-code-signing-on-simplysign.html which actually produces a natural person certificate (says "Open Source Developer" in the Organization field and "Your Name Open Source Developer" in the Common Name field). It might be something @Ylianst can provide for everyone since it's his project. I'd be more than happy to financialy contribute / donate for such a feature.

[Ylianst]

Ha, interesting you mention Certum, I have a certificate from them and use it to sign the MeshCentral Installer, MeshCentral Router, MeshCentral Assistant and MeshCommander with it. For anyone of these executables, you should see it signed with my Certum cert. I think some people prefer using Assistant over the Agent because of the signature, however Assistant requires user connection or user consent to work in order to prevent it being abused and Assistant can't be installed in the background.

So, I sign everything except the agent. This is because many years ago, I did sign the agent and got my certificate revoked because VirusTotal.com reported my cert (and many others) as signing malware. Since then, I got a new cert and don't sign the agent anymore. The agent is too flexible and too powerful (especially since it run any JavaSciprt code) to be signed by the community.

A few days back, we did release a new feature with the latest agent that allows someone to sign the agent and "lock" it so that once signed, the signed binary can only connect back to their specific server. If you sign the agent, I highly recommend you make use of this feature.

In general, for the agent, I don't think community code signing is in the cards. It's going to be used to do bad things right away.

[rallisf1]

I didn't know that. Sounds logical. Would it be possible for us to cert the agent via certum though, as other solutions are quite pricey. Will a fork suffice as a dev proof?

[poiNt3D]

A few days back, we did release a new feature with the latest agent that allows someone to sign the agent and "lock" it so that once signed, the signed binary can only connect back to their specific server. If you sign the agent, I highly recommend you make use of this feature.

Is there some guide or more detailed information about this feature?

[smartekIT]

[PrplHaz4]

Does that signing URL need to also include the loginKey '?key=xxxx' parameter?

[smartekIT]

Does that signing URL need to also include the loginKey '?key=xxxx' parameter?

I tried it and the answer is no it doesn't need that, nor it needs the port number. here how I did it, advised that mine installed on subdomain:
/du "https://subdomain.example.com/?serverid=XXXXXXXXXXXXXXXXXXXXXXXXX"

[noagenda33]

I would like step by step instructions too. Sorry but I have not idea where to go or how to begin.

[Ylianst]

Correct, the signing URL does not need to include ?key=xxx

[smartekIT]

for people who are using jsign on linux, there is no "/du" switch but you can use "--url" like this:
--url "https://subdomain.example.com/?serverid=XXXXXXXXXXXXXXXXXXXXXXXXX"
and it should work, I tested that myself.

[si458]

we codesign all the exes from meshcentral with our own certifcate from comodo - https://comodosslstore.com/codesigning.aspx
it costed us $212 for 3 years, it was very simple to verify our company too,
then you just follow the video on youtube to codesign it and replace the exes - https://www.youtube.com/watch?v=HZj9igSn-sY

BUT it would be amazing to have a feature built into the meshcentral, that if we give it a cerificate and password, it codesigns it for us before download, because every time we update the server or the exes are updated, we have to download the new exes, unsign and then resign and reupload then restart the server for it to apply

[si458]

@Ylianst i will add my repo here as an example for you on how you could change the exe data - https://github.com/si458/changeexe

[Ylianst]

Wow, nice! Exactly what I need!!!!

[Ylianst]

OOhhhh no. I got excited for nothing. Looking at this code, it just downloads "xhttp://www.angusj.com/resourcehacker/resource_hacker.zip", extracts it and makes calls to it. That's not going to work on anything but a Windows server and I don't want to be running an opaque executable.

This is no good, I need a pure NodeJS version of this.

[si458]

yeh sadly its the only way i could find to get it working but it does the job perfectly!

[Ylianst]

Just like authenticode.js, I am going to have to build my own. Of course, you can use that tool and your own code signing and place the resulting agent in meshcentral-data\agents a bit like @smartekIT does.

[Ylianst]

Also, Firefox will not download "resource_hacker.zip" since it's a security threat. Not sure if that is correct or not, but certainly not something I would include in MeshCentral.

[Ylianst]

Funny you mention adding this feature to MeshCentral. The main problem was that there is not authenticode code signing that is purely NodeJS that could be included in MeshCentral, but in the last few days, we got that built.

This tool was included in MeshCentral v1.0.28 and now, I am working on having MeshCentral auto-code sign the agent, that will be in v1.0.29. By default, a server generated code signing cert will be used, but you will have the option to use your own. Also, you will be able to enabled agent signature server locking to have the signed agent only be allowed to connect to your server.

[PathfinderNetworks]

Thank you for the work on this, Ylian! I just updated to 1.0.29 and have added the "AgentSignLock" option to Settings section of my config.json. Is that all there is to force the installer to lock the agent to the server? Next, if I were to purchase an authenticode certificate, say from Comodo, what are the steps I'd need to take to get that to work with this new release so it will automatically sign the agents with that certificate? This is probably going to be a pretty important subject for MeshCentral users so good documentation on all the steps would be great. Or is it already part of the online documentation? (I, honestly, haven't looked yet).

Lastly, is there any way to check/verify the agent locking is functioning?

Thanks again!

[si458]

i believe his new youtube video might help with questions - https://www.youtube.com/watch?v=xteKscs_Jgo

[PathfinderNetworks]

So there seems to be a pretty big issue with upgrading to 1.0.29. After I performed that upgrade I am no longer able to connect to my MeshCentral server. I can see the MeshCentral service is running, MongoDB is running, NodeJS starts up, etc. But all web connections are refused. I just get a 'error connection timed out' message even if trying to connect from a web browser physically located on the MeshCentral server itself. Restarting the MeshCentral service seems to make no difference. At first I thought it may have been a configuration issue in my config.json when I added the agentsignlock setting. However, even when I revert back to a config.json before the edit, I see the same issue.

[PathfinderNetworks]

BTW, I was on 1.0.28 prior to moving to 1.0.29

[PathfinderNetworks]

Rolling back to 1.0.28 gets me back up and running. I'm going to open an issue for this to track it.

[PathfinderNetworks]

1.0.30 has resolved this crash/GUI access issue for me.