Issue 127418 - Windows Installer is unsigned
Summary: Windows Installer is unsigned
Status: CLOSED DUPLICATE of issue 119017
Alias: None
Product: Installation
Classification: Application
Component: ui (show other issues)
Version: 4.1.3
Hardware: All Windows, all
: P5 (lowest) Normal (vote)
Target Milestone: ---
Assignee: AOO issues mailing list
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-20 01:40 UTC by Kyle H
Modified: 2018-02-13 23:15 UTC (History)
1 user (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Kyle H 2017-05-20 01:40:28 UTC 
My organization prohibits (via group policy) the manifested elevation of unsigned executables, such as the installer for Apache OpenOffice.  I am unable to install OpenOffice because of this.  (This policy is a very good way to reduce the installation of malware that otherwise doesn't utilize an exploit to get onto the system.)

Is there any plan in the works to get the installers, executables, and shared libraries signed?

C:\Users\user\Downloads>sigcheck Apache_OpenOffice_4.1.3_Win_x86_install_en-US.exe

Sigcheck v2.54 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Users\user\Downloads\Apache_OpenOffice_4.1.3_Win_x86_install_en-US.exe:
        Verified:       Unsigned
        Link date:      17:55 2016-07-24
        Publisher:      n/a
        Company:        n/a
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    32-bit
Comment 1 oooforum (fr) 2017-05-21 12:42:44 UTC 
Already reported

*** This issue has been marked as a duplicate of issue 125360 ***
Comment 2 Kyle H 2017-05-21 19:06:42 UTC 
I object to this issue being closed as a duplicate of #125360.

I am on Windows 10, not on MacOS.  There is a group policy in place which prevents me from installing OpenOffice because of its lack of signature.

I can install (and have installed) LibreOffice, but I'm told that OpenOffice is better than LibreOffice.  It certainly has much more comprehensive SDK documentation available.

More importantly, bug #125360 comment #3 suggests that there is a way to make this happen for Windows builds.  Further, the blog post at https://blogs.apache.org/infra/entry/code_signing_service_now_available states "With projects like Apache OpenOffice, users expect to receive binaries that are ready to run. Today's desktop and mobile operating systems expect that binaries will be signed by the vendor -- which had left a gap to be filled for Apache projects."

That blog post is now over 19 months old.  OpenOffice has not moved forward with altering its build process to produce signed binaries or installers.

Also, bug #125360 comment #4 suggests that OpenOffice has been "fully ready" to sign the Windows version for 18 months, since 11-17-2014.  Why has this not happened yet?
Comment 3 oooforum (fr) 2017-05-22 08:29:56 UTC 
Old debate: http://mail-archives.apache.org/mod_mbox/openoffice-dev/201412.mbox/%3C006901d01357%24e77c4d30%24b674e790%24%40acm.org%3E

If you are interested to do it: your involve is welcome.
Comment 4 Kyle H 2017-05-23 01:55:52 UTC 
Realistically, there's a few issues here.  (I understand that this is probably not the best place to describe it, but I'm bringing a couple of threads together here for this analysis.)

Signing the MSI and installer EXE is the simplest part of this.  They would need to be submitted to Symantec's signing infrastructure, and utilize credits to do so.  (You can test it by using signtool.exe, from the Windows SDK, with a self-signed certificate generated by certtool.exe.  But the signature verifiable with the self-signed certificate won't mean anything, other than "these things can be signed".)

But ideally, the issue doesn't end there.  The freeware source code/text editor Notepad++ had to push a release fairly recently because one of the CIA tool disclosures referred to a persistent implant enabled not because of unsigned DLLs, but because the signatures on the DLLs weren't checked.  See https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html for details.

Note: I'm not saying that OpenOffice has been hacked.  I'm saying that it would be incredibly easy to hack in the same manner, and if it's used for general-purpose office tasks it eventually will be targeted.  (And even if you trust US CIA, there's all sorts of other actors -- not limited to state-level adversaries, but also to any criminal who has or can hire the expertise -- who can do so.)

So, again ideally, it would be good if on Windows all of the DLLs and everything that could be digitally signed (which you can determine by using signtool.exe on every artifact that OpenOffice includes in its installer) had its signature checked before it were loaded.  This would take a LOT more credits in Symantec's infrastructure, and I don't know if Apache would consider it to be worth it.

It would also be awesome if it could be done on MacOSX, but I do understand that there may be other (legal department) reasons why it can't necessarily be done as easily there.

And I don't know of any digital signature standard for binaries or dynamic shared objects on Linux.
Comment 5 Marcus 2018-02-13 23:15:28 UTC 
duplicate

*** This issue has been marked as a duplicate of issue 119017 ***