[Bug]: Invisible.vbs not digitally signed #514
Comments
Romanitho
added
good first issue
|
Apologies, missed those! Thanks for coming back on it so quickly! |
Romanitho
added
enhancement
|
It is not really a bug, as it is working with standard config. It's related to your security level... but it's in the pipe :) |
|
Thank you! |
|
I do not want to be devils advocate here but you can trust file by hash. If you have AppLocker in your company, it means that it is managed. The mouse doesn't bite. |
|
Thanks Andrzej. All the powershell scripts are signed so I thought it might be an accidental oversight. Sounds like there are plans to work around it which is great to hear, and I’m very grateful to the devs. Edit: Whoops, shouldn't reply to github comments with my email signatures on! |
|
eh.. wrong issue.. |
They're actually not signed. |
|
Not by community, you would have to sign them by yourself or trust via AppLocker/WDAG rules. |
Thought I was going crazy for a second when I checked this morning - the one on my PC is signed, the one in the repo isn't! I assume the Winget AutoUpdate Intune Store App is signing them (signing certificate matches that project's author). Will raise it on that project, apologies for the confusion! |
|
This project is a fork of our. And seams to be not maintained anymore. Still blocked on our 1.17 that contains security issue. |
|
Thanks for letting me know! |
|
That is an interesting case.
Someone forked $thiscode, could have made any alterarion, then signed files with a string suggesting it is still "ours".
Imagine what else could have been added as a bonus!
I cannot stress that enough.
Always pick the original source.
Read the text > decide if you trust it > sign it/countersign it by yourselves if signing with a trusted cert is required.
The fact that something is signed means nothing from security perspective. All declarations of war were signed:)
All windows updates are signed.
If WAU gets code signed with a publicly trusted certificate and you will be trusting that certificate, then and only then it will prove that code was not altered on the way by rouge forkers or anyone with malicious intents.
It may still contain some bugs.
…________________________________
From: StreamCalm ***@***.***>
Sent: 11 December 2023 09:33
To: Romanitho/Winget-AutoUpdate ***@***.***>
Cc: Andrzej Demski ***@***.***>; Comment ***@***.***>
Subject: Re: [Romanitho/Winget-AutoUpdate] [Bug]: Invisible.vbs not digitally signed (Issue #514)
Thanks for letting me know!
—
Reply to this email directly, view it on GitHub<#514 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASAJCPW27IALI4ECTK646ETYI3APLAVCNFSM6AAAAABAKWPPW2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBZGU2TCNBWGQ>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
Thanks Andrew, sage advice! |
|
This issue is stale because it has been open for 30 days with no activity. |
|
This issue was closed because it has been inactive for 14 days since being marked as stale. |
The problem
The invisible.vbs script isn't signed and so is blocked by AppLocker/WDAC policies requiring scripts to be signed (eg. error below from AppLocker).
Event 8007 %OSDRIVE%\PROGRAMDATA\WINGET-AUTOUPDATE\INVISIBLE.VBS was prevented from running.Would be good to sign these like the powershell scripts to avoid hash based rules which will break with any changesi
What version of WAU has the issue?
1.04.0034
What version of Windows are you using (ex. Windows 11 22H2)?
Windows 11 23H2
What version of winget are you using?
1.6.3133
Log information
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: