WinFsp Installer blocked by Windows Smart App Control

[infeo]

Bug Report

Windows Smart App Control blocks installation of WinFsp 2.0.23075 due to violation of a code integrity policy.

How to Reproduce

1, Set up a system with Windows Smart App control in enforcement mode.
2. Download and execute Winfsp installer

I tested the installer with instructions provided by Microsoft with the Smart App Control audit policy without ISG. The reported events can be found here:
winfsp_installation_eventlog.zip.

I'm pretty sure we have a signing issue here, maybe an EV certifacte is required. The linked articles also have information about signing.

Behaviors

Expected: Winfsp installer is executed and installed successfully
Actual: Winfsp installer is blocked.

Environment

• OS version and build:

Edition	Windows 11 Enterprise Evaluation
Version	22H2
Installed on	‎25-‎Sep-‎23
OS build	22621.2428
Experience	Windows Feature Experience Pack 1000.22674.1000.0

• WinFsp version and build: WinFsp 2.0.23075

Misc

I'm a developer of Cryptomator, which uses WinFSP. We had signing issues ourself, see cryptomator/cryptomator#3130. Maybe someone can draw some clues from there.

[billziss-gh]

Thanks for the report.

All executable assets installed by WinFsp are signed either by an EV certificate or Microsoft's own annotation certificate. You can confirm this by right-clicking on executable files installed by WinFsp and selecting Properties > Digital Signatures.

The installer itself is also signed using the same EV certificate.

Looking at the log you provided it suggests that perhaps the problem is with some of the DLL's that are used during installation only. WinFsp includes one such DLL: CustomActions. I believe WiX includes some more:

Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SysWOW64\msiexec.exe)
attempted to load \Device\HarddiskVolume4\Users\User\AppData\Local\Temp\MSI2D7E.tmp that did not
meet the Enterprise signing level requirements or violated code integrity policy (Policy
ID:{5283ac0f-fff1-49ae-ada1-8a933130cad6}). However, due to code integrity auditing policy, the
image was allowed to load.

It looks like WinFsp does not currently sign the CustomActions DLL and perhaps this is the source of this problem. I am unsure if WiX has any DLL's and whether it signs them if it does.

[infeo]

I am unsure if WiX has any DLL's and whether it signs them if it does.

I don't think that. We (at Cryptomator) stumbeld also into the Trap of an additional, unsigned DLL. But WiX (latest 3.x version) itself did not impose a problem.

[billziss-gh]

I include below the event log in text format:

Level	Date and Time	Source	Event ID	Task Category
Information	10/11/2023 1:43:59 PM	Microsoft-Windows-CodeIntegrity	3089	(1)	Signature information for another event. Match using the Correlation Id.
Information	10/11/2023 1:43:59 PM	Microsoft-Windows-CodeIntegrity	3089	(1)	Signature information for another event. Match using the Correlation Id.
Information	10/11/2023 1:43:59 PM	Microsoft-Windows-CodeIntegrity	3076	(18)	Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\WinFsp\SxS\sxs.20231011T124353Z\bin\launcher-x64.exe that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{5283ac0f-fff1-49ae-ada1-8a933130cad6}). However, due to code integrity auditing policy, the image was allowed to load.
Information	10/11/2023 1:43:59 PM	Microsoft-Windows-CodeIntegrity	3089	(1)	Signature information for another event. Match using the Correlation Id.
Information	10/11/2023 1:43:59 PM	Microsoft-Windows-CodeIntegrity	3089	(1)	Signature information for another event. Match using the Correlation Id.
Information	10/11/2023 1:43:59 PM	Microsoft-Windows-CodeIntegrity	3076	(18)	Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\msiexec.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\WinFsp\SxS\sxs.20231011T124353Z\bin\winfsp-x64.dll that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{5283ac0f-fff1-49ae-ada1-8a933130cad6}). However, due to code integrity auditing policy, the image was allowed to load.
Information	10/11/2023 1:43:59 PM	Microsoft-Windows-CodeIntegrity	3089	(1)	Signature information for another event. Match using the Correlation Id.
Information	10/11/2023 1:43:59 PM	Microsoft-Windows-CodeIntegrity	3076	(18)	Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SysWOW64\msiexec.exe) attempted to load \Device\HarddiskVolume4\Windows\Installer\MSI457C.tmp that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{5283ac0f-fff1-49ae-ada1-8a933130cad6}). However, due to code integrity auditing policy, the image was allowed to load.
Information	10/11/2023 1:43:58 PM	Microsoft-Windows-CodeIntegrity	3089	(1)	Signature information for another event. Match using the Correlation Id.
Information	10/11/2023 1:43:58 PM	Microsoft-Windows-CodeIntegrity	3076	(18)	Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SysWOW64\msiexec.exe) attempted to load \Device\HarddiskVolume4\Windows\Installer\MSI4319.tmp that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{5283ac0f-fff1-49ae-ada1-8a933130cad6}). However, due to code integrity auditing policy, the image was allowed to load.
Information	10/11/2023 1:43:53 PM	Microsoft-Windows-CodeIntegrity	3089	(1)	Signature information for another event. Match using the Correlation Id.
Information	10/11/2023 1:43:53 PM	Microsoft-Windows-CodeIntegrity	3076	(18)	Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SysWOW64\msiexec.exe) attempted to load \Device\HarddiskVolume4\Users\User\AppData\Local\Temp\MSI2EB7.tmp that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{5283ac0f-fff1-49ae-ada1-8a933130cad6}). However, due to code integrity auditing policy, the image was allowed to load.
Information	10/11/2023 1:43:53 PM	Microsoft-Windows-CodeIntegrity	3089	(1)	Signature information for another event. Match using the Correlation Id.
Information	10/11/2023 1:43:53 PM	Microsoft-Windows-CodeIntegrity	3076	(18)	Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SysWOW64\msiexec.exe) attempted to load \Device\HarddiskVolume4\Users\User\AppData\Local\Temp\MSI2D7E.tmp that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{5283ac0f-fff1-49ae-ada1-8a933130cad6}). However, due to code integrity auditing policy, the image was allowed to load.

The files that "Code Integrity" is complaining about are:

\Program Files (x86)\WinFsp\SxS\sxs.20231011T124353Z\bin\launcher-x64.exe
\Program Files (x86)\WinFsp\SxS\sxs.20231011T124353Z\bin\winfsp-x64.dll
\Windows\Installer\MSI457C.tmp
\Windows\Installer\MSI4319.tmp
\Users\User\AppData\Local\Temp\MSI2EB7.tmp
\Users\User\AppData\Local\Temp\MSI2D7E.tmp

The first file is the WinFsp "launcher" which is signed with an EV certificate. The second file is the WinFsp DLL and is also signed with an EV certificate. It is not clear what the other files are but my speculation is that: (1) the \Windows\Installer files are the WinFsp MSI being loaded with user and elevated credentials (signed with an EV certificate), and (2) the \AppData\Local files are the CustomActions DLL being loaded with user and elevated credentials (not signed).

So I can perhaps see the complaint about CustomsActions, but cannot understand the complaint about the other files.