AppLocker in whitelisting mode problem with .node file and managing self updates of Signal #4086
Comments
|
New wersion does not work with "tray" option. |
|
@SebCT are you able to run any other electron based applications with AppLocker fine? |
Yes, for example TEAMS by Microsoft, which also runs in Local Appdata - Only two Publisher Rules (Program and Update Service) with Product Name TEAMS needed, works excellent and future proof for updates :-) The problem lies in the Node files - AppLocker treats them like DLL's, and those are not signed in the signal app - so after every update, those files get another hash, so you have to create new additional hash rules, which is a lot of work for permanent updates. Is it possible to do it without that node files (like TEAMS)? I saw that many files are already signed in Signal App, which is very good - would be awesome if all files could be signed. |
|
@SebCT by Node files do you mean our binaries in node_modules? |
Yes! 👍 I provided one as a ZIP File. Here is the DLL rule set:
And here the EXE rule set:
|
|
Hello :-) Is there any chance to make this application completely and 100% compatible to AppLocker (Allow-Listing mode) without any node files? Saw that a lot of DLL's in the \sharp\vendor\lib\ folder are signed now since Version 1.35, which is very good - would be awesome if those NODE Files are not needed in the future, with every update with have a lot of work to approve that application :-( |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
That is still not resolved, it's important for companies with enterprise grade policies and application allowlisting (AppLocker) that this will be resolved - please open it again, thanks! Suggestion for this: please code sign all DLL's and make those NODE Files also as DLL's which are code signed, too - then Application Allowlisting for the Signal Desktop App is very easy possible as a publisher rule - thanks! This is also listed here from MS - Applications for Windows 10 have to follow these rules: |
Bug Description / Feature request
Because Signal runs in local appdata, AppLocker ruleset is needed for running the program. With Version 1.32.1 wie coudl design a quite good ruleset with Publisher rules (certificate based) and with file hash rules for the .node files (renamed them in .DLL, so AppLocker GPO could read it for creating a rule). I have attached the file here, too.
85cf5267-6209-453c-b9f8-afdda8a8265c.tmp.node.zip
But the problem is with the new signal update today -> the file 85cf5267-6209-453c-b9f8-afdda8a8265c.tmp.node has a new hash for AppLocker, so the program doesn't run.
Of course we can manage it to make an additional file hash rule for this, but this is a lot of work if every signal update has a new node file with a new hash value.
So the question is: is it possible to sign this files, too? There are a lot of files already signed in this app, which is excellent, but these node files are very difficult for us to manage in the future.
One thing that could help us, too, is to disable auto options - is it possible for you to integrate such feature, also with a switch for the installer? Thanks in advance!
Steps to Reproduce
Actual Result:
AppLocker blocks because of a new .NODE file (see screenshot)
Expected Result:
It would be awesome, if only publisher rule and no file hash rule is neccessary for whitelisting this application - or to manage the self updates with switches in the installer to disable it - thanks!
Screenshots
Platform Info
Signal Version:
V1.32.2
Operating System:
Windows 10 V1909 Enterprise (Build 18363.752)
The text was updated successfully, but these errors were encountered: