Meshcentral: Rebranding MeshCentral + Agent Signing

For agent code signing, go in "node_modules/meshcentral/agents" and you should see the following files:

MeshService.exe
MeshService64.exe
MeshService-signed.exe
MeshService64-signed.exe

Create your self a batch file that signs "MeshService.exe" and replaces "MeshService-signed.exe" with the signed version. Same for 64bit.

For branding of the web site, there is plenty on instructions in the MeshCentral User's Guide, section 21. You can also look at my latest blog.

For rebranding the agent, you can create your own installer for it, or compile your own version from source on GitHub. Same for MeshCentral Router, make a look at the source code from GitHub.

Hope that helps,
Ylian

Ylian,

On this subject.... I, too, just bought a code signing certificate.

I downloaded MeshService.exe and MeshService64.exe from my Ubunutu MeshServer install using filezilla to my windows computer. Signed the exe files. Renamed to MeshService-signed.exe and MeshService64-signed.exe and FTP'd them back into the "node_modules/meshcentral/agents" using overwrite.

I think its working! My questions...
1) When I upgrade the server, do I need to resign these?
2) When I ftp them from my windows machine to the Ubunutu server, do I need to 'restart' the service?

Thank you so much!

Excellent questions. Yes, you will need to re-sign the agents when you update MeshCentral as the update process with overwrite the "agents" folder. This said, the agents are not always updated when a new MeshCentral server is released. So, you may be able to keep the signed binaries you have, but you will have to copy them over again. When a MeshCentral server is updated with new agents, you will really need to re-sign the Windows agents.

As for server restart, yes, you will need to restart the server after signing. If you run your server on a Windows computer, you may be able to write yourself a script that stops the server, updates it, resigned and starts the server again in one go.

Strangely, only the Windows agents are loaded into RAM by MeshCentral on start, the Linux/MacOS/BSD agents are not by default and so. (Unless you use `"agentsInRam": true').

Anyway, hope that helps. If you need any other changes, please me know.
Ylian

Thanks for the explanation! Is there a way to easily identify when the agents have been updated?

And for my ubunutu install, I guess I would plan to FTP the signed agents into MeshCentral and use:
sudo systemctl restart meshcentral.service
to restart the server.

I'm using WINSCP and a batch file to accomplish this. For anyone who needs a hint, here is my batch. It runs on a Windows computer as a scheduled task once per day:

`
@echo off

::Check for and create a LOGS Directory if needed
IF NOT EXIST C:\Scripts\Logs MKDIR C:\Scripts\logs

:DELETE OLD LOGS
IF EXIST "C:\Scripts\Logs\MeshAgentSign.log.old" DEL "C:\Scripts\Logs\MeshAgentSign.log.old"

:RENAME OLD LOGS
IF EXIST C:\Scripts\Logs\MeshAgentSign.log REN C:\Scripts\Logs\MeshAgentSign.log MeshAgentSign.log.old

::Clear local work folder
IF NOT EXIST C:\Work\MeshAgentWork MKDIR C:\Work\MeshAgentWork
erase C:\Work\MeshAgentWork*.* /Q

:DOWNLOAD

"C:\Program Files (x86)\WinSCP\WinSCP.com" ^
/log="C:\Scripts\Logs\MeshAgentSign.log" /ini=nul ^
/command ^
"option batch continue" ^
"open -hostkey=""ssh-****************="" sftp://user:**@rd.domain.net/" ^
"cd node_modules/meshcentral/agents" ^
"lcd ""C:\Work\MeshAgentWork""" ^
"get MeshService.exe" ^
"get MeshService64.exe" ^
"exit"

set WINSCP_RESULT=%ERRORLEVEL%
if %WINSCP_RESULT% equ 0 (
echo Download Success
GOTO SIGN
) else (
echo Download Error
GOTO END
)

:SIGN
CALL "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "C:\Certs\CodeSign.cer" "C:\Work\MeshAgentWork\MeshService.exe""
CALL "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "C:\Certs\CodeSign.cer" "C:\Work\MeshAgentWork\MeshService64.exe""
REN C:\Work\MeshAgentWork\MeshService.exe MeshService-signed.exe
REN C:\Work\MeshAgentWork\MeshService64.exe MeshService64-signed.exe

:UPLOAD
"C:\Program Files (x86)\WinSCP\WinSCP.com" ^
/log="C:\Scripts\Logs\MeshAgentSign.log" /ini=nul ^
/command ^
"option batch continue" ^
"open -hostkey=""ssh-*************="" sftp://user:**@rd.domain.net/" ^
"cd node_modules/meshcentral/agents" ^
"lcd ""C:\Work\MeshAgentWork""" ^
"put MeshService-signed.exe" ^
"get MeshService64-signed.exe" ^
"exit"
if %WINSCP_RESULT% equ 0 (
echo Upload Success
) else (
echo Upload Error
)

:END
SET RESULT=%ERRORLEVEL%
if %RESULT% equ 0 (
echo Job Completed Successfully
) else (
echo Job Ended Badly - Check the log (C:\Scripts\Logs\MeshAgentSign.log)
)
exit
`

@Ylianst ,

Is there any other event that would cause the agents to be 'rewritten?'

This weekend, I signed them - updated the node_modules/meshcentral/agents and then restarted the server. It worked fine. (I could see my digital signature when I downloaded them on a client machine.) I then played with my config.json and also created a few autobackups.

This morning I downloaded the agent and the Digital Signature is showing meshcentral.

Note - I am using the https://url.com/invite to get to the download page

• Robert