Digitally sign produced binaries? (VS Extension)

[fredrikeriksson]

Some organizations use AppLocker to block untrusted binaries, and the Reqnroll VS Extension is one such binary that get's blocked as it is invoked by VS, and thus intellisense for Reqnroll is not working.

The best (most secure) way to white list a binary is to trust the Digital Signature of a binary.
A work around is to white list a directory but that is not the prefered way to do it and should be avoided if possible.

Are there any plans of digitally signing the produced binaries? (Not to be confused with Strong Naming)

[Code-Grump]

I don't believe there's any plan to do this, but if it's something that's valuable we can look into it.

I can foresee the only real questions are going to be around the burden of certificate management.

[gasparnagy]

Thanks for bringing up this topic. I'm also not an expert of this, but when I did a research earlier for a work project I found that there are two kind of certificates that could be potentially used for such thing (see here for details):

• Organization Validation (OV) or Standard Certificates - these are just public/private key pairs that you need to store and protect yourself
• Extended Validation (EV) Certificates - these require hardware key or a signing service, so more trustful

None of them are for free and but the EV certificates are significantly more expensive.

So my first question would be whether a signature with an OV certificate would be enough for getting into the white list or automatic white listing works only with EV certificates? (E.g. to avoid untrusted warning for Windows installers, you need an EV certificate.)

[fredrikeriksson]

As far as I understand OV should be enough for AppLocker whitelisting, although there is no automatic whitelisting in that regard, orgs who opt in to that kind of tooling often curate the whitelist themself. EV is mostly used for SmartScreen as far as I've gathered, and that is more automatic.

So yes, OV should be enough, and you always have the possibility to upgrade to EV later on if big enough problems pop up elswere but I doubt it :)

[Insire]

SignPath could be an option: https://signpath.org/

[fredrikeriksson]

This indeed seems to be a good option, and they even seem to have a free offering for OSS which would relieve you of much of the hassle.
There seem to be some requirements on how you need to do things but you should be able to meet them.

As always there is tradeoffs, they would be a part of the chain, and a chain is only as strong as its weakest link.
Although, it shouldn't be a issue as they most likely have a much higher security hygiene than one self could establish, but it is nonetheless importante to have in mind.