tsh.exe is from unknown publisher. #3012
Comments
benarent
added
ux
tsh
|
It'll be interesting to see whether this happens when running from the CLI. I don't think I had that issue. Either way, though, we should probably sign the binaries just to make sure. |
|
@webvictim Windows isn't super clear for our use case, but let me know if you need help acquiring a .net license. https://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows |
|
The issue we might have is that we don't build on Windows. I'll see whether anyone else has tried to sign Go Windows binaries when building on Linux. |
|
It looks like this is a Windows step, https://stackoverflow.com/questions/51717409/is-there-any-way-to-sign-the-windows-executables-generated-by-the-go-compiler might . I guess we'll need another Windows box to sign this. Maybe do the same setup at our MacOS Apps |
|
Yeah - we don't currently build the binaries on a Windows box so we'd need to explicitly get one to do this. |
|
I ran into this again today. It seems we don't need a windows box but do need to purchase an EV Code Signing Cert to pass the Microsoft SmartScreen Filter. I'll work internally to obtain this certificate and we can use http://manpages.ubuntu.com/manpages/trusty/en/man1/signcode.1.html to sign on a linux box. |
|
Thanks to @TravisGary we now have a code signing cert. It's shared in our internal secrets system, with password and |
|
While recording the Windows video I encountered this again. I tried the If we install https://www.mono-project.com/docs/tools+libraries/tools/#security we should be able to run this on Linux ./signtool.exe sign /f gravitational-code-sigining-cert.pfx /t http://timestamp.digicert.com/scripts/timstamp.dll /p "PASSWORD" /fd SHA256 tsh.exe
|
|
I've made more progress on this, just out of interest. I was able to sign using https://github.com/mtrojnar/osslsigncode, I had to pass in the password as a text file as it has a comma in it. osslsigncode sign -pkcs12 /teleport-sign/gravitational-code-sigining-cert.pfx -readpass password.txt -n "Teleport" -i https://goteleport.com -t http://timestamp.digicert.com -h sha2 -in tsh.exe -out signtsh.exe
# Succeeded |
|
@timothyb89 This is complete right? Has it been merged into |
|
Nearly, it's just getting final approval now: #7897 I'll backport it as soon as the PR is merged! |
|
@timothyb89 No problem, thank you for the update! |
What happened:
When testing Teleport on Windows, I've had this error message, I had to click
More infoto run Teleport.While we don't provide a UI, it's very common for Windows users to directly click an .exe ( I'm not 100% sure on a fresh install if you don't approve it )
What you expected to happen:
Similar to #2979 we'll need to sign the package after we compile it. https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe?redirectedfrom=MSDN
Environment:
tsh version): 4.1The text was updated successfully, but these errors were encountered: