Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installer not continuously signed #8420

Open
stephannn opened this issue Feb 3, 2025 · 1 comment
Open

Installer not continuously signed #8420

stephannn opened this issue Feb 3, 2025 · 1 comment
Assignees
@dpage
Labels
Bug

Comments

@stephannn
Copy link

Please note that security bugs or issues should be reported to security@pgadmin.org.

Describe the bug

At work we use Microsoft AppLocker and most apps in the user context are allowed by certificate. The pgadmin4-8.14-x64.exe admin installer is signed, but during the setup a tmp file is triggered which is no signed. Running the pgadmin4-8.14-x64.exe results in these logs:

pgadmin4-8.14-x64.exe was allowed to run.
%OSDRIVE%\USERS\MyUser\APPDATA\LOCAL\TEMP\2\IS-5LIUQ.TMP\PGADMIN4-8.14-X64.TMP was prevented from running.

Are more detailed log can be found in the details tab of the event:

+ System 
  - Provider 

   [ Name]  Microsoft-Windows-AppLocker 
   [ Guid]  {cbda4dbf-8d5d-4f69-9578-be14aa540d22} 
 
   EventID 8004 
 
   Version 0 
 
   Level 2 
 
   Task 0 
 
   Opcode 0 
 
   Keywords 0x8000000000000000 
 
  - TimeCreated 

   [ SystemTime]  2025-02-03T13:05:41.1525350Z 
 
   EventRecordID 3634 
 
   Correlation 
 
  - Execution 

   [ ProcessID]  7688 
   [ ThreadID]  8052 
 
   Channel Microsoft-Windows-AppLocker/EXE and DLL 
 
   Computer MyHost.Contoso.com
 
  - Security 

   [ UserID]  S-1-5-21-**** 
 

- UserData 

  - RuleAndFileData 

   PolicyNameLength 3 
 
   PolicyName EXE 
 
   RuleId {00000000-0000-0000-0000-000000000000} 
 
   RuleNameLength 1 
 
   RuleName - 
 
   RuleSddlLength 1 
 
   RuleSddl - 
 
   TargetUser S-1-5-21-****
 
   TargetProcessId 11972 
 
   FilePathLength 78 
 
   FilePath %OSDRIVE%\USERS\MyUser\APPDATA\LOCAL\TEMP\2\IS-5LIUQ.TMP\PGADMIN4-8.14-X64.TMP 
 
   FileHashLength 32 
 
   FileHash 6EFEC37D80B39E5C3A74CD9A3364AB17C7E49B7C3F84EF8FA17CB421884FC3AD 
 
   FqbnLength 1 
 
   Fqbn - 
 
   TargetLogonId 0xbdf870a 
 
   FullFilePathLength 71 
 
   FullFilePath C:\Users\MyUser\AppData\Local\Temp\2\is-5LIUQ.tmp\pgadmin4-8.14-x64.tmp

As you can see, the Fqbn is empty.

To Reproduce

Steps to reproduce the behavior:

  1. Setup AppLocker
  2. Allow the used certificate for pgadmin4-8.14-x64.exe:
Get-AppLockerFileInformation .\pgadmin4-8.14-x64.exe | Format-List

RunspaceId : eba501a5-f09d-4946-8ccb-af34bbc368e3
Path       : %OSDRIVE%\USERS\MyUser\DOWNLOADS\PGADMIN4-8.14-X64.EXE
Publisher  : O=ENTERPRISEDB CORPORATION, S=MASSACHUSETTS, C=US\PGADMIN 4\,0.0.0.0
Hash       : SHA256 0x5AD2561749ADA116D5CE93132800C70EE32E2A9BAA32433CFC66BDF3459B920D
AppX       : False

Expected behavior

The the installer is continuously signed
@stephannn stephannn added the Bug label Feb 3, 2025
@adityatoshniwal
Copy link
Contributor

Hi @dpage,

How do you think we can handle this case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dpage dpage

Labels
Bug
Projects
Not Refined
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dpage @adityatoshniwal @stephannn