Difference between revisions of "Signing Kiwix"

From Kiwix
Jump to navigation Jump to search
(Created page with "In most OS nowadays, signed software are the standard and non-signed ones are flagged as insecure. It is important that Kiwix signs its binaries so that beginners (one of our ...")
 
m
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
In most OS nowadays, signed software are the standard and non-signed ones are flagged as insecure.
On most OSes nowadays, signed software is the standard and non-signed software are flagged as insecure.
It is important that Kiwix signs its binaries so that beginners (one of our main targets) feel safe when using Kiwix.
It is important that Kiwix signs its binaries so that beginners (one of our main targeted audiences) feel safe when using Kiwix.


It is important to note that signing software doesn't bring much more security. Still it brings to information to the user:
It is important to note that signing software doesn't bring that much more security. It brings some to information to the user:
# The software being executed has been produced by the entity who signed it. In our case, user will know that this version of Kiwix has been made by Kiwix developers and not someone else.
# The software being executed has been produced by the entity who signed it. In our case, the user will know that this version of Kiwix has been made by Kiwix developers and not someone else.
# The software being executed has not been altered. It is the released version.
# The software being executed has not been altered. It is the officially released version.


How to sign packages vary depending on the target system.
The methods to sign packages vary depending on the target system.


== Mac OS X ==
== Mac OS X ==
In OSX, starting with version 10.7, not signing an application results in a big warning when the software is launched. It completely prevents the user to open it unless he does one of the following:
In OSX, starting with version 10.7, an unsigned application results in a big warning when the software is launched. It completely prevents the user from launching it unless he does one of the following:
* Right click to specifically request opening (must happen every time the software is launched)
* Right click to specifically request opening (must happen every time the software is launched)
* Edit System Preferences and allow all non-signed packages to be executed.
* Edit System Preferences and allow all non-signed packages to be executed.
Line 26: Line 26:


== Windows ==
== Windows ==
Windows is a little more permissive than OSX. In Windows, the default behavior is to display a warning dialog asking the user if he really wants to launch an unknown software.
Windows is a little more permissive than OSX. In Windows, the default behavior is to display a warning dialog asking the user if he really wants to launch unknown software.


In Windows, most of the time, only the installer is signed because every action conducted by a signed binary inherits its ''authorization''.
On Windows, most of the time, only the installer is signed because every action conducted by a signed binary inherits its ''authorization''.


For Kiwix, we will still need to sign both the installer and ''kiwix.exe'' since we also use ''kiwix.exe'' directly in Live/Portable mode. Should we want to have an additional program for autorun or else, we would have to sign it too.
For Kiwix, we will still need to sign both the installer and ''kiwix.exe'' since we also use ''kiwix.exe'' directly in Live/Portable mode. Should we want to have an additional program for autorun, we would have to sign that too.


=== Required ===
=== Required ===

Latest revision as of 06:58, 29 November 2022

On most OSes nowadays, signed software is the standard and non-signed software are flagged as insecure. It is important that Kiwix signs its binaries so that beginners (one of our main targeted audiences) feel safe when using Kiwix.

It is important to note that signing software doesn't bring that much more security. It brings some to information to the user:

  1. The software being executed has been produced by the entity who signed it. In our case, the user will know that this version of Kiwix has been made by Kiwix developers and not someone else.
  2. The software being executed has not been altered. It is the officially released version.

The methods to sign packages vary depending on the target system.

Mac OS X

In OSX, starting with version 10.7, an unsigned application results in a big warning when the software is launched. It completely prevents the user from launching it unless he does one of the following:

  • Right click to specifically request opening (must happen every time the software is launched)
  • Edit System Preferences and allow all non-signed packages to be executed.

Required

  • An Apple Developer Connection account with a Mac Developer Program subscription ($99/year). I believe we need to pay this only first year (to get the certificate) but we'll have to verify that later. It is different from iOS so if we want to publish an iOS version, that's another $99/year.
  • Request an Apple Certificate. Note: OSX accepts only Apple certificates despite what other certificate sellers claim.

From there, we will have a certificate installed on our building machine (buildbot) and the process is simple:

echo --sign frameworks --codesign --force --verify --verbose --sign "Developer ID Application: <KiwixID>" Kiwix.app/Contents/Frameworks/libclucene.dylib

It is important to know that we need to sign every single dylib which means a lot in Kiwix.

We will have to add another step to the builbot recipe to sign the build. This step will happen after everything is built but before the dmg is closed.

Windows

Windows is a little more permissive than OSX. In Windows, the default behavior is to display a warning dialog asking the user if he really wants to launch unknown software.

On Windows, most of the time, only the installer is signed because every action conducted by a signed binary inherits its authorization.

For Kiwix, we will still need to sign both the installer and kiwix.exe since we also use kiwix.exe directly in Live/Portable mode. Should we want to have an additional program for autorun, we would have to sign that too.

Required

  • Windows 7 box with Windows 7 SDK and .NET 4 Framework
  • Certificate from COMODO or GoDaddy (~$170 for 3 years).

SignTool sign /fMyCert.pfx /pMyPassword Kiwix.exe