Bug 56079 - Digitally sign the Windows binaries
Digitally sign the Windows binaries
Status: RESOLVED FIXED
Product: Tomcat 8
Classification: Unclassified
Component: Packaging
8.0.x-trunk
PC All
: P2 enhancement with 2 votes (vote)
: ----
Assigned To: Tomcat Developers Mailing List
:
: 49161 (view as bug list)
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2014-01-28 17:12 UTC by Mark Thomas
Modified: 2014-10-10 17:43 UTC (History)
1 user (show)



Attachments
Screenshot 1 - UAC warning for a signed executable (20.34 KB, image/png)
2014-01-28 19:37 UTC, Konstantin Preißer
Details
Screenshot 2 - UAC warning for a non-signed executable (18.95 KB, image/png)
2014-01-28 19:37 UTC, Konstantin Preißer
Details
Screenshot 3 - Explorer warning for a signed downloaded file (17.04 KB, image/png)
2014-01-28 19:37 UTC, Konstantin Preißer
Details
Screenshot 4 - Explorer warning for a non-signed downloaded file (16.89 KB, image/png)
2014-01-28 19:38 UTC, Konstantin Preißer
Details
Screenshot 5 - IE warning for a non-signed downloaded executable (5.67 KB, image/png)
2014-01-28 19:38 UTC, Konstantin Preißer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Thomas 2014-01-28 17:12:48 UTC
I am currently evaluating a code-signing service for the ASF using Tomcat as a test case. It would help if folks who use Tomcat on Windows could provide use cases where they currently receive a warning so I can figure out what needs to be signed and test those use cases with signed versions.

So far the only test case I have is:
- Windows 7 Pro. Install Tomcat 8.0.0-RC10 form the installer.
  Attempting to use tomcat8w.exe triggers a warning if it is not
  signed. When it is signed there is still a warning but one that
  is less severe and includes the information that it has been signed
  by the ASF.

More test cases welcome. Please provide OS version details and steps to re-create from a clean Tomcat install.

Please add your test cases here.
Comment 1 Konstantin Preißer 2014-01-28 19:37:10 UTC
Created attachment 31260 [details]
Screenshot 1 - UAC warning for a signed executable
Comment 2 Konstantin Preißer 2014-01-28 19:37:31 UTC
Created attachment 31261 [details]
Screenshot 2 - UAC warning for a non-signed executable
Comment 3 Konstantin Preißer 2014-01-28 19:37:56 UTC
Created attachment 31262 [details]
Screenshot 3 - Explorer warning for a signed downloaded file
Comment 4 Konstantin Preißer 2014-01-28 19:38:14 UTC
Created attachment 31263 [details]
Screenshot 4 - Explorer warning for a non-signed downloaded file
Comment 5 Konstantin Preißer 2014-01-28 19:38:37 UTC
Created attachment 31264 [details]
Screenshot 5 - IE warning for a non-signed downloaded executable
Comment 6 Konstantin Preißer 2014-01-28 19:39:00 UTC
Hi Mark,

I wanted to provide some general information on when Windows will show a warning when running an signed or non-signed executables.

Since Windows Vista, Windows has UAC (User Account Control) which ensures that a user which is a member of the Administrators group normally runs programs with non-admin rights, but only when the user explicitely runs a program as Administrator (either because he right-clicked on it and selected "Run as Administrator", or because the EXE has a manifest that requests admin-level access), the programm will run with administrative rights.


1) If the user is an Administrator and UAC is enabled, or the user is not an Administrator, and he wants to start an executable with administrative rights from a program that runs with non-admin rights (e.g. explorer.exe), Windows will show the warning from Screenshot 1 if the executable is signed, and a warning from Screenshot 2 if the executable is not signed.

Note that this does not happen when the executable is started from a process that runs already with admin rights (e.g. when running cmd.exe as Admin), or if you use the integrated Administrator account that is the default account on Server editions of Windows (e.g. Windows Server 2012), as in this case even if UAC is enabled, the integrated Administrator account always runs with admin rights. This does not happen with other Admin accounts that have been created by a user.


2) If the user wants to start a process with the same level (a non-admin explorer starts a process as non-admin, or an admin explorer starts a process as admin), and the file has been downloaded by a browser like Internet Explorer so that is has been marked as downloaded, then Windows will show the warning from Screenshot 3 if the file is signed, and the warning from Screenshot 4 if it is not signed.

You can see if a file is marked as downloaded, when right-clicking on it, selecting "Properties" and then looking at the bottom of the file dialog.
If it shows "Security: This file came from another computer and might be blocked to help protect this computer.", then it is marked as downloaded, but you can remove that mark by clicking on "Unblock".

This warning does only seem to show when the process is started by Explorer.

When you downloaded a .zip file (e.g. downloading Tomcat 8 as .zip), most extractor programs like WinRAR or Windows Explorer will retain the "downloaded" status of the .zip file for every extracted file. I.e. if you extract apache-tomcat-8.0.0-RC10-windows-x64.zip with WinRAR and the zip as been marked as downloaded, then also Tomcat8w.exe will have that mark, so the warning will show when you start Tomcat8w.exe with UAC disabled or from the integrated Administrator account.

Note that with my testing, IE and Chrome both marked .exe and .zip files with this "downloaded" flag, but Firefox only marked .exe files, but not .zip ones.

Additionally, IE shows a warning when downloading a non-signed .exe file, as shown on Screenshot 5.



I tried following use case for installing a Tomcat 8 service on Windows Server 2012 R2 with a newly created administrator account (but with UAC enabled):

1) Downloading the "64-bit Windows zip" with IE and extracting it with Windows Explorer.
2) Opening cmd.exe with non-admin rights (in the explorer window, click menu "File", "Open command prompt".
3) Change to the Tomcat\bin directory, then running "service install"
4) I get the warning from screenshot 3, that "Tomcat8.exe" is from an unknown publisher and wants to to administrative changes on the computer.
5) If I click Yes, this warning disappears, but then displays again two times. So, overall this warning displayed three times when running "service install". (If the Tomcat8.exe was signed, the warnings would show that it is signed, but still would appear three times - I think this install script should be changed so that Tomcat8.exe is only called once).
6) Running Tomcat8w.exe, from the explorer, I get the warning that it is not signed and wants to be run with admin rights.
7) From the cmd.exe, I run "service uninstall", I get the warning for Tomcat8.exe, but only one time.

Note that when running an elevated cmd.exe ("File" -> "Open command prompt" -> "Open command prompt as administator"), I do not get any of the warnings.


When trying the use case with the Windows Service installier (apache-tomcat-8.0.0-RC10.exe), then I get warnings when
1) Running the installer,
2) after installation is complete, run "Configure Tomcat" or "Monitor Tomcat" from the Start screen which both run "tomcat8w.exe".

When I uninstall Tomcat from Control Panel -> Programs and Features, it shows some certificate from Windows or the Windows installer, so there is no warning here that it is unsigned.

So for me, the files where Windows showed a warning that they are not signed, were:
1) apache-tomcat-8.0.0-RC10.exe
2) tomcat8.exe
3) tomcat8w.exe
Comment 7 Konstantin Preißer 2014-01-28 19:43:31 UTC
(In reply to Konstantin Preißer from comment #6)
> 4) I get the warning from screenshot 3, that "Tomcat8.exe" is from an
> unknown publisher and wants to to administrative changes on the computer.

Sorry, that should read "I get the warning from screenshot 2".
Comment 8 Mark Thomas 2014-01-28 19:44:19 UTC
Many thanks. That is all incredibly useful.
Comment 9 Konstantin Kolinko 2014-01-28 19:55:15 UTC
Using signature to verify integrity of files,
on example of TortoiseSVN installer (a *.msi file)
http://tortoisesvn.net/msiverify.html

Looking at files in an installed TortoiseSVN, all *.exe and *.dll files there are signed as well.
Comment 10 Mark Thomas 2014-02-07 19:59:58 UTC
I've fixed the issue with service.bat calling tomcat8.exe three times. It now calls it once.
Comment 11 Mark Thomas 2014-03-07 16:50:10 UTC
*** Bug 49161 has been marked as a duplicate of this bug. ***
Comment 12 Mark Thomas 2014-09-24 20:48:55 UTC
This has been fixed for Tomcat 8.0.14 onwards.

The service runner (tomcat8.exe), the service manager (tomcat8w.exe) and the Windows installer are all now signed.

The uninstaller is not signed. Since it is generated automatically by NSIS and embedded in the installer, I haven't yet figured out a way to sign this.

The other question is do we want to back-port this to 7.0.x?
Comment 13 Konstantin Kolinko 2014-09-24 21:22:05 UTC
(In reply to Mark Thomas from comment #12)
> 
> The uninstaller is not signed. Since it is generated automatically by NSIS
> and embedded in the installer, I haven't yet figured out a way to sign this.

There is the following article at their site:
http://nsis.sourceforge.net/Signing_an_Uninstaller

> The other question is do we want to back-port this to 7.0.x?

I think yes, but we may wait until we get real feedback for using this feature in Tomcat 8.
Comment 14 Mark Thomas 2014-09-25 08:38:41 UTC
Thanks for the uninstaller pointer. I think I can see a way to make that work but, as I suspected, we will need to signing events.
Comment 15 Mark Thomas 2014-10-09 16:12:22 UTC
The build script and installer script have been modified to sign the uninstaller. This change has been made in 8.0.x and will be included in 8.0.15 onwards.
Comment 16 Christopher Schultz 2014-10-10 17:43:14 UTC
(In reply to Konstantin Kolinko from comment #13)
> (In reply to Mark Thomas from comment #12)
> > The other question is do we want to back-port this to 7.0.x?
> 
> I think yes, but we may wait until we get real feedback for using this
> feature in Tomcat 8.

+1 to back-porting, +1 to waiting for feedback