Add Digital Signature for windows version

[wbsdty331]

PuTTY have been add it since 0.67

To help protect against tampering in transit from our website or after downloading, I think it's necessery to add it.

[wbsdty331]

By the way, about Vim Installer,

• Use NSIS 3.0 to build instead of 2.51
  Please add unicode true in nsi file to enable unicode support.
• Change UI to Modern UI
• MultiLanguage for Installer

[k-takata]

Are there any services that provide code signing without charge?

Use NSIS 3.0 to build instead of 2.51

Vim-win32-installer already uses NSIS 3.0, but what is the merit of Unicode support?
Installing Vim to a directory with Unicode characters might cause troubles.
Or, is it needed for supporting translations of the installer?

[wbsdty331]

just add unicode true in nsi file.

About code signing

Globalsign provide free signature for open source project:https://www.globalsign.com/ssl/ssl-open-source/

or https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

But Vim is a very famous project, You can find Digicert, Thawte Or comodo to get a digital signature

[chrisbra]

What problem does unicode true solve? About the other two points, could you provide a patch for that?

[k-takata]

just add unicode true in nsi file.

I want ask you the purpose/merits of the setting.
(One obvious demerit would be that the installer won't work on Win9x, but it won't matter.)

https://www.globalsign.com/en/ssl/ssl-open-source/

Hm, this seems SSL certificate. Maybe we can use this when we support HTTPS on www.vim.org (and this is requested several times, e.g. #671). But not for code signing?

https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

Seems good, but this is up to Bram for the official installers.
Not sure we can use it safely on AppVeyor for the vim-win32-installer binaries.

[k-takata]

Change UI to Modern UI

There are at least two versions to use MUI2:

• [patch] Switch the NSIS installer to MUI2 #279
• https://github.com/gpwen/vim-installer-mui2

(Don't know which is better/newer.)
They are already listed in the todo.txt:

vim/runtime/doc/todo.txt

Lines 834 to 845 in 84dbd49

	Improve the installer for MS-Windows. There are a few alternatives:
	- Add silent install option. (Shane Lee, #751)
	- Installer from Cream (Steve Hall).
	- Modern UI 2.0 for the Nsis installer. (Guopeng Wen)
	https://github.com/gpwen/vim-installer-mui2
	- make it possible to do a silent install, see
	http://nsis.sourceforge.net/Docs/Chapter4.html#4.12
	Version from Guopeng Wen does this.
	- MSI installer: https://github.com/petrkle/vim-msi/
	- The one on Issue 279.
	Problem: they all work slightly different (e.g. don't install vimrun.exe).
	How to test that it works well for all Vim users?

[wbsdty331]

SSL you can also use Let's Encrypt and get a free ssl

About code signing, I mean, Vim is a very famous open-source project, You can find Digicert, Thawte, Comodo... and so on, to get a free code signing certificate.

[brammool]

Liu Yixuan wrote:

SSL you can also use Let's Encrypt and get a free ssl

About code signing, I mean, Vim is a very famous open-source project,
You can find Digicert, Thawte, Comodo... and so on, to get a free code
signing certificate.

Vim is still hosted on SourceForge, and they don't support SSL.

Not sure how SSL signing is related to signing a .exe.

ARTHUR: A scratch? Your arm's off!
BLACK KNIGHT: No, it isn't.
ARTHUR: Well, what's that then?
BLACK KNIGHT: I've had worse.
The Quest for the Holy Grail (Monty Python)

/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \
\ an exciting new programming language -- http://www.Zimbu.org ///
\ help me help AIDS victims -- http://ICCF-Holland.org ///

[k-takata]

https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

I checked this again. I thought this can be used without charge, but it was wrong. It's €14.00/year, not so expensive, but I suppose Bram wants to use money for Uganda children rather than code signing. ;-)
Don't know about other services.

[wbsdty331]

Other CA

• Digicert : [email protected] or [email protected]
• Comodo : [email protected]
• GlobalSign : [email protected]
• Thawte : [email protected] or [email protected]

[chrisbra]

@wbsdty331 please make clear, if you are talking about ssl encryption of the website or about signing the executable. Note also #671 and the referenced bug at sourceforge

[DemiMarie]

For the website, Let's Encrypt provides free certificates.

[jones77]

Think OP means signing the executable. The SSL related information seems to be a red herring.

I'm behind a corporate firewall where you can't install unsigned, untrusted binaries. Signing this for Windows would be helpful.

[stefan-wenig]

I'm looking for OSS projects that would like to test-drive our code signing service. For free-as-in-freedom projects it's free as in free beer.

Prerequisites for a free OSS subscription and certificate: FLOSS license, source code on GitHub/Bitbucket/Gitlab, builds on AppVeyor.

How it works:

1. get a free SignPath.io subscription from me
2. integrate your appveyor build with SignPath.io: https://about.signpath.io/documentation/build-system-integration/#appveyor
3. SignPath Foundation provides a code signing certificate

[chrisbra]

@stefan-wenig that sounds very interesting. What other open source projects are using your code signing service already?

@brammool we could test this with the vim/vim-win32-installer repository. I can have a look tomorrow.

[stefan-wenig]

So far: GitExtensions.

[chrisbra]

@stefan-wenig can you get me a SignPath.io subscription? If I read the documentation correctly, I need to disable the appveyor cache, is this right?

[stefan-wenig]

@chrisbra please contact me at [email protected], I need your email address (the one you use for GitHub login)
Yes cache must be disabled so we can make sure that the build is 100% from source. Maybe you can disable cache only for specific builds, branches etc. - would have to check AppVeyor docs

[chrisbra]

thanks. I think I have set it up according to your docs. vim/vim-win32-installer#118

[chrisbra]

@stefan-wenig BTW: it looks like the sample appveyor hook in the documentation https://about.signpath.io/documentation/build-system-integration/#appveyor has an extra linebreak between <Organization_ID> and /Integrations/...
I guess, that linebreak should not be there and the /Integrations belongs to the URL. At least, that confused me a bit.

[stefan-wenig]

I can see you already set up mutual permissions. Allow for a few days for release certificate issuance. You can use the test-signing policy right away.

Next step: Decide what you want to sign.

Simple: sign just the installer exe file. This removes SmartScreen warnings. (The initial default artifact configuration will do this.)

Advanced: Sign all executable files in your build. This is really how it should be done. Installation time signing removes the most visible problem, but security benefits immensely from deep signing.
Just create a ZIP file containing everything that needs to be signed at the end of your build (nested ZIPs are fine). Send a sample ZIP to [email protected], we have a tool that creates the artifact config (not online yet)

However, while this would sign the standalone executables in gvim*.zip, it would not sign the files that your installer extracts. There are two ways to resolve this:

1. Switch to MSI installers. SignPath has native support for MSI deep signing. There are many other advantages to MSI too, mostly from a user perspective, but it's a bit more involved than NSIS for the developer.
2. Split your builds in two steps: build the executables (and sign them), then build the installer (and sign it) in another build configuration using another SignPath artifact configuration. I don't like it, AppVeyor and SignPath don't really support it, but it's possible.

[stefan-wenig]

I guess, that linebreak should not be there and the /Integrations belongs to the URL. At least, that confused me a bit.

You're right, I'll have it fixed. Thanks!

[chrisbra]

I think I configured it to sign all *.exe artifacts. For now this is just to see if this works, so it should sign the installer. BTW: what signing-policy would you recommend? I have for now used test-signing, mainly because release-signing is pending (and it should probably only be used for official releases anyhow).

Another thing, that was not clear to me: For which windows versions is the signature valid (e.g. Windows includes the relevant root CA certificate)? Or does it work out of the box? (I just tried the gitextensions installer and I did not get a warning message, so at least my Win 10 desktop system seems to be fine).

Regarding the installer: Switching the installer is a big step, @k-takata just recently did invest a huge amount of work to overhaul the current installer. I am sure he appreciates it to not do this again at this time ;)

Once the current setup works, we'll see how to make your second alternative work, I see you also provide Powershell scripts to do this, so perhaps this is an alternative.

[stefan-wenig]

I think I configured it to sign all *.exe artifacts.

Note that the path pattern must match a single artifact. If you want to sign more than one, create a ZIP file.

I have for now used test-signing, mainly because release-signing is pending (and it should probably only be used for official releases anyhow).

Exactly.

The test certificate is self-signed. See https://github.com/SignPath/Website/blob/v2/src/documentation/5_test_certificates.md (not yet published)

The release certificate will be from Thawte, accepted everywhere. Note that SmartScreen is different, there will still be warnings in the first days: https://about.signpath.io/code-signing/windows-platform/#microsoft-smartscreen

I am sure he appreciates it to not do this again at this time ;)

Understood.

I see you also provide Powershell scripts to do this, so perhaps this is an alternative.

Only if you bring your own certificate. For OSS projects we provide free certificates under our Name (SignPath Foundation), which means we are the publisher, technically and legally, so you must follow a verifiable process. Our certificate guarantees that the binary was built from source. Currently we only support downloading artifacts from finished AppVeyor builds.

So for now, if you want deep signing for NSIS installers, you'll have to break up your build. Sorry for the inconvenience.

[chrisbra]

thanks for the information.

I merged the PR yesterday, unfortunately, signing the executable failed:

Error calling webhook https://app.signpath.io/API/v1/47c0047c-0c1d-42b2-a16c-4ea6907dc813/Integrations/AppVeyor?SigningPolicyId=b060c819-3eff-411b-8b86-60d7e0161751: Response status code does not indicate success: 400 (Bad Request).

Perhaps you can have a look.

So for now, if you want deep signing for NSIS installers, you'll have to break up your build. Sorry for the inconvenience.

Okay, so let me summarize:

1. for signing the executables inside the zip archive, we would send you the zip file, you analyze it and then we can adjust the appveyor configuration to have zip files signed.
2. for signing the executables inside the installer, we would need to break up our build scripts to sign all executables separately before creating the installer (that also needs to be signed). This could be avoided by using MSI installers.
3. release certificates will come eventually and could then be used to manually sign the builds that e.g. Bram creates whenever he tags a new release.

I guess point 2 and 3 would be nice to have for the future, but for now I would be satisfied with a single signed nsis installer and all the binaries inside the zip file.

Thanks for providing such a nice service!

[stefan-wenig]

400 (Bad Request)

Unfortunately, AppVeyor will not display error messages for fear of exposing secrets. We work around that by sending errors per e-mail to the notification address, just set it: https://app.signpath.io/Web/47c0047c-0c1d-42b2-a16c-4ea6907dc813/CIUsers/e3cc379e-2276-4047-89be-388657d688a2/ChangeNotificationEmailAddress

1. for signing the executables inside the zip archive, we would send you the zip file, you analyze it and then we can adjust the appveyor configuration to have zip files signed.

correct

2. for signing the executables inside the installer, we would need to break up our build scripts to sign all executables separately before creating the installer (that also needs to be signed). This could be avoided by using MSI installers.

correct

3, for signing the executables inside the installer, we would need to break up our build scripts to sign all executables separately before creating the installer (that also needs to be signed). This could be avoided by using MSI installers.

You'd just choose the release-signing policy ID for certain branches/tags https://www.appveyor.com/docs/branches/#build-on-tags-github-gitlab-and-bitbucket-only or using AppVeyor conditions (never tried that)

If you don't want to sign a certain build, just don't approve it in signpath.

I guess point 2 and 3 would be nice to have for the future, but for now I would be satisfied with a single signed nsis installer and all the binaries inside the zip file.

Someone really needs to write a NSIS to WIX/MSI converter ;-)

Yes, siging the installer will solve the most annoying problem, i.e. SmartScreen and UAC installer warnings. But unsinged executables make me sad.

Maybe we can someday provide an easier way.

Thanks for providing such a nice service!

You're most welcome, and thanks for testing it!

[stefan-wenig]

Someone really needs to write a NSIS to WIX/MSI converter ;-)

probably not gonna happen though http://lists.wixtoolset.org/pipermail/wix-users-wixtoolset.org/2016-February/001411.html

[chrisbra]

@stefan-wenig thanks, I don't know how to set the product name for the installer. @k-takata do you know?
I just switched the signing-policy to release.

[k-takata]

Is it a version resource of the installer?
This one? https://nsis.sourceforge.io/Reference/VIAddVersionKey

[stefan-wenig]

According to the description that would be it, I'm not into NSIS though.

[chrisbra]

@k-takata sounds like it. The last signing-request failed I believe of this:

 <?xml version="1.0" encoding="utf-8" ?>
 <artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
   <!-- Enter a description of what to sign or choose one of the ready to use samples -->
   <pe-file path="gvim*.exe" productName="Vim">
     <authenticode-sign />
   </pe-file>
 </artifact-configuration>

[k-takata]

So we need to add a patch something like this?

--- a/nsis/gvim.nsi
+++ b/nsis/gvim.nsi
@@ -87,6 +87,14 @@ RequestExecutionLevel highest
 !endif
 
 ##########################################################
+# Version resources
+
+VIAddVersionKey /LANG=${LANG_ENGLISH} "ProductName" "Vim"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "CompanyName" "Vim Developers"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "LegalTrademarks" "Vim"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "FileDescription" "Vi Improved - A Text Editor"
+
+##########################################################
 # MUI2 settings
 
 !define MUI_ABORTWARNING

[chrisbra]

looks good. Can we test this in the vim-win32-installer repo?

[k-takata]

I think we can use the patch directory in vim-win32-installer before including this.
Could you try it?

[chrisbra]

Yes, that was what I meant. Will create a PR for that later today, thanks.

[k-takata]

Sorry, the patch was wrong. ${LANG_ENGLISH} was not defined at that point.
I hope this should work:

diff --git a/nsis/gvim.nsi b/nsis/gvim.nsi
--- a/nsis/gvim.nsi
+++ b/nsis/gvim.nsi
@@ -173,6 +173,14 @@ Page custom SetCustom ValidateCustom
     !include "lang\tradchinese.nsi"
 !endif
 
+##########################################################
+# Version resources
+
+VIAddVersionKey /LANG=${LANG_ENGLISH} "ProductName" "Vim"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "CompanyName" "Vim Developers"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "LegalTrademarks" "Vim"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "FileDescription" "Vi Improved - A Text Editor"
+
 
 # Global variables
 Var vim_dialog

[k-takata]

Updated again:

--- a/nsis/gvim.nsi
+++ b/nsis/gvim.nsi
@@ -173,6 +173,17 @@ Page custom SetCustom ValidateCustom
     !include "lang\tradchinese.nsi"
 !endif
 
+##########################################################
+# Version resources
+
+VIAddVersionKey /LANG=${LANG_ENGLISH} "ProductName" "Vim"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "CompanyName" "Vim Developers"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "LegalTrademarks" "Vim"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "LegalCopyright" "Copyright (C) 1996"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "FileDescription" "Vi Improved - A Text Editor"
+VIAddVersionKey /LANG=${LANG_ENGLISH} "FileVersion" "${VER_MAJOR}.${VER_MINOR}.0.0"
+VIProductVersion "${VER_MAJOR}.${VER_MINOR}.0.0"
+
 
 # Global variables
 Var vim_dialog

[chrisbra]

Finally, signing the daily artifact using release signing happened yesterday successfully. I manually uploaded a signed 64 bit installer to the release section on the vim-win32-installer:
https://github.com/vim/vim-win32-installer/releases/tag/v8.1.1336

@stefan-wenig would it be possible to create stable URLs for downloading the artifacts? So instead of
https://app.signpath.io/Web/47c0047c-0c1d-42b2-a16c-4ea6907dc813/SigningRequests/1d6db0ad-c662-46d6-9cd1-17eeaaff0b6c/DownloadSignedArtifact

which does not contain the SigningRequest ID as part of the URL but e.g. the binary and Version Number so we could add the link easily to the github release page?

[stefan-wenig]

Congratulations!
We've been thinking about new APIs (e.g.
build job ID) and/or notification Webhooks that you can react to. Product manager is on a sailing trip though, so non-emergency changes will be a month at least.

[chrisbra]

@stefan-wenig thanks there is no hurry. For the time being, I'll upload new signed releases every once in a while. And to get the zip files signed as well, that is still on my personal todo list.

@brammool how about applying this additional patch for the nsis installer so set the version number and name? https://github.com/vim/vim-win32-installer/blob/master/patch/01_nsis_progname.patch

[brammool]

@stefan-wenig thanks there is no hurry. For the time being, I'll upload new signed releases every once in a while. And to get the zip files signed as well, that is still on my personal todo list. @brammool how about applying this additional patch for the nsis installer so set the version number and name? https://github.com/vim/vim-win32-installer/blob/master/patch/01_nsis_progname.patch

That looks harmless, I'll include it.

…

-- If you had to identify, in one word, the reason why the human race has not achieved, and never will achieve, its full potential, that word would be "meetings." /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

[stefan-wenig]

@chrisbra I manually created a signing request for the x86 version of v8.1.1359
Just tell me when you want to upload a release version, I'll do it again. Multi-job support will be deployed with the next version.

[chrisbra]

@stefan-wenig thanks, I have approved and uploaded the artifact to https://github.com/vim/vim-win32-installer/releases/tag/v8.1.1359

[wbsdty331]

OK It seems works good, But...

• This description is too long, How about change to VI Improve Installer ?

[k-takata]

@chrisbra

Where is that shown?

I can see it at the UAC dialog box.

[chrisbra]

ah that seems to come from the certificate. Perhaps @stefan-wenig knows how to adjust that.

[stefan-wenig]

It's hard coded. We weren't aware that UAC shows the entire descrtiption. Unfortunately, no two code signing mechanims act the same. We'll shorten it significantly asap.

[chrisbra]

@brammool How about including this patch to the nsis installer:
https://github.com/vim/vim-win32-installer/blob/master/patch/01_patchlevel_nsis_installer.patch

It simply adds the Patchlevel to the Productversion of the installer.

[brammool]

Christian wrote:

@brammool How about including this patch to the nsis installer: https://github.com/vim/vim-win32-installer/blob/master/patch/01_patchlevel_nsis_installer.patch It simply adds the Patchlevel to the Productversion of the installer.

Yes, that looks fine.

…

-- Have you heard about the new Beowulf cluster? It's so fast, it executes an infinite loop in 6 seconds. /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

[stefan-wenig]

News:

• SignPath now supports multiple jobs per AppVeyor build (fetches both x86 and x64 automatically)
• The UAC string now only shows gvim_8.1.1432_x64_signed.exe by github.com/vim/vim-win32-installer (the vim-win32-installer part is not essential, but that was the quick fix)

I'll report back when we provide a mechanism for automatic release uploads.

[chrisbra]

I think this can be closed