Electron-builder: ensure that update only to the application signed with same cert

It is planned functionality. And must-have functionality since Windows security model just * and cannot protect users.

https://technet.microsoft.com/en-us/library/ee176840.aspx will be used to verify that update is signed and signed exactly by you.

Perfect, thanks! Is it up in backlog, or planned for someday? :)

planned for someday

... when all critical issues like #1106 or #1172 will be fixed.

Issue is not closed backlog, so, it is planned to be fixed in short term (but as it is an open source project, it can took years :) without PR or donation).

Just wondering if there's going to be an easy way to cover the case of an expiring code signing certificate, i.e. when the update must be signed using a different certificate than the one used for the installed version, but both certs are issued to the same person/org.

@JanEgner Expired Code Signed Cert is always valid regardless is it expired or not. Because electron-builder always sign it using timestamp server. http://stackoverflow.com/a/4417480/1910191

@develar Yes, but some day my cert will expire and I will have to get a new one. Stuff that I signed in the past, using the now-expired cert, will continue to be considered signed. But for my next update I need to use the new cert - i.e. a different one than for the installed version.
This would be an issue if you plan to check that the cert fingerprint is the same for the update as for the installed app.

@JanEgner Yes. Nice question. Will be checked not by cert SHA256/SHA1, but by "Issued to" field. So, during build electron-builder will remember certificate publisher and on update exe signature will be verified:

1. must be signed and valid.
2. publisher still the same.

Yes, that sounds great!
(unless the publishing company changes its name - which my employer did several times in the past years - so it would be extra-cool to be able to set an alternative accepted publisher name during build).

Hey @develar, there is some extra work planned for this issue?

Please use win.forceCodeSigningVerification to disable this check. Check is not performed if app is not signed.

Awesome - thanks a lot @MariaDima and @develar!

@develar, @MariaDima I still can update signed application to not signed.

@cumajkeee Please specify version of electron-updater. Is "signed application" was build by latest electron-builder (specify version).

"electron-updater": "2.1.1",
"electron-builder": "18.6.2"

Any updates so far?

@cumajkeee As soon as my working day will be over, I will take a look ;)

I checked, but with latest electron-updater 2.1.2.
I get errors for the cases where the update has not been signed at all or has been signed using a "different" certificate.

@MariaDima Thans for verification.
@cumajkeee Please ensure that there is publisherName in your app-update.yml file (this field automatically added by electron-builder).

One more note:
In case someone uses the setFeedURL method, you need to make sure you update the options with the proper "publisherName".

Is update of an unsigned application still allowed?

@KochiyaOcean Must be not in the latest electron-updater.

@develar OK I think I would stuck on electron-updater@1 until found an affordable cert.

@KochiyaOcean If your app is unsigned at all, update of an unsigned application is allowed. You are not forced to use code signing on Windows.

@develar Understood. Thanks 👍

@develar we've updated our org (and cert) from Opentest, Inc. -> Loom, Inc. Since the publisher name is now different, how should I go about this update? Just tested our staging app and it seems we run into an error telling us the update isn't signed by Opentest, Inc.

Is the only way forward:

1. Ship a new build with Opentest, Inc. cert that disables the check via win.forceCodeSigningVerification=false
2. Force people to upgrade to that version
3. Ship a new update with the app signed by Loom, Inc. and add that check back in

?

exact error for what @vhmth mentioned here:

Error: New version 0.22.18 is not signed by the application owner: publisherNames: Opentest, Inc., raw info: {
  "SignerCertificate": {
    "FriendlyName": "",
    "IssuerName": {
      "Name": "CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "NotAfter": "/Date(1597838400000)/",
    "NotBefore": "/Date(1564704000000)/",
    "PrivateKey": null,
    "PublicKey": {
      "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
      "Oid": "System.Security.Cryptography.Oid",
      "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
      "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
    },
    "SerialNumber": "03387E856C29FB71D1EA8C720C1A703F",
    "SignatureAlgorithm": {
      "Value": "1.2.840.113549.1.1.11",
      "FriendlyName": "sha256RSA"
    },
    "Thumbprint": "4C2D6BB4572616B6544AD006A6DA220CC9B95A49",
    "Version": 3,
    "Issuer": "CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
    "Subject": "CN=\"Loom, Inc.\", O=\"Loom, Inc.\", L=San Francisco, S=ca, C=US"
  },
  "TimeStamperCertificate": {
    "Archived": false,
    "Extensions": [
      "System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
      "System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
      "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509Extension"
    ],
    "FriendlyName": "",
    "IssuerName": {
      "Name": "CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "NotAfter": "/Date(1729555200000)/",
    "NotBefore": "/Date(1413936000000)/",
    "HasPrivateKey": false,
    "PrivateKey": null,
    "PublicKey": {
      "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
      "Oid": "System.Security.Cryptography.Oid",
      "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
      "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
    },
    "SerialNumber": "03019A023AFF58B16BD6D5EAE617F066",
    "SubjectName": {
      "Name": "CN=DigiCert Timestamp Responder, O=DigiCert, C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "SignatureAlgorithm": {
      "Value": "1.2.840.113549.1.1.5",
      "FriendlyName": "sha1RSA"
    },
    "Thumbprint": "614D271D9102E30169822487FDE5DE00A352B01D",
    "Version": 3,
    "Handle": 1863111192016,
    "Issuer": "CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US",
    "Subject": "CN=DigiCert Timestamp Responder, O=DigiCert, C=US"
  },
  "Status": 0,
  "StatusMessage": "Signature verified."
}

@vhmth @paulius005 Do you remember how you got past this issue?

@billoneil we ended up shipping an update with the old (still current at the time) cert that would point to a new build that opened up the allowed publisher names to both Opentest (old) and Loom (new) and pointed to a new bucket for updates. We then had all builds signed with the new cert in that new bucket. This allowed us to get everyone onto the latest Opentest build (which is valid based on the time of cert, not the time of day that the app is run).