Bug 4433 - Windows binaries aren't tamper proof
Summary: Windows binaries aren't tamper proof
Status: REOPENED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client platforms (show other bugs)
Version: 3.4.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on: 2075
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-16 14:24 CEST by Peter Åstrand
Modified: 2021-03-09 12:52 CET (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments
Windows SmartScreen warning when installing wts-tools (29.98 KB, image/jpeg)
2016-09-06 12:51 CEST, Samuel Mannehed
Details

Description Peter Åstrand cendio 2012-10-16 14:24:56 CEST
This is a continuation of bug 2075. On that bug, we are starting to sign the Windows client installer and customizer. However, I think we should sign *all* binaries. This includes files inside the Windows client package, as well as the WTS Tools installer and files. 

Note that I used the comment "ThinLinc Client" when requesting the Go Daddy certificate. The downloaded file was called Cendio-AB-ThinLinc-Client.pem. However, if you look at the actual cert, this is not visible, the subject is just:

C=SE, ST=Ostergotland, L=Linkoping, O=Cendio AB, CN=Cendio AB

So, I think it should be safe to use the same cert even for WTS Tools stuff.
Comment 1 Pierre Ossman cendio 2012-10-18 11:29:55 CEST
Unfortunately "ThinLinc Client" is embedded in the certificate in a magical Microsoft-field. Windows will also show this text now and then.

So it seems we need another certificate for non-client stuff.
Comment 2 Samuel Mannehed cendio 2016-09-06 12:51:25 CEST
Created attachment 737 [details]
Windows SmartScreen warning when installing wts-tools

If you try to install wts-tools on Windows 10 with "SmartScreen" enabled you get a warning saying:

> Windows protected your PC
> Windows SmartScreen prevented an unrecognised application from starting.
> Running this application might put your PC at risk.

At first, the dialog only displays one button - "Don't run" but you can choose "More info" and then click "Run".
Comment 4 Pierre Ossman cendio 2019-02-07 15:43:45 CET
rdesktop (and associated tools) is being removed from the ThinLinc product.
Comment 5 Pierre Ossman cendio 2021-03-04 13:08:01 CET
This isn't just for (the now removed) WTS tools, so reopening. We'd like to sign all client binaries to avoid tampering.
Comment 6 Pierre Ossman cendio 2021-03-04 16:50:13 CET
When this is fixed we can re-enable our automatic test that all binaries are signed.

Note You need to log in before you can comment on or make changes to this bug.