Idea

Jon Abbott avatar image
2 Likes"
Jon Abbott suggested Jon Abbott commented

Post digitally-signed cryptographic hashes for verifying FlexSim installer integrity/authenticity

I would like to suggest posting cryptographic hashes alongside installer download links to ensure installer integrity and authenticity. I would recommend SHA-2 or newer, as earlier hash functions have collisions or other known issues. It would also be useful to sign the cryptographic hashes with digital signatures to ensure that the hashes have not been tampered with. Thanks for considering my suggestion.

installersecurityfile authenticityfile integrity
5 |100000

Up to 12 attachments (including images) can be used with a maximum of 23.8 MiB each and 47.7 MiB total.

2 Comments

·
Phil BoBo avatar image
3 Likes"
Phil BoBo commented Phil BoBo edited

The FlexSim installer is already digitally signed and ships with the digital certificate that Windows verifies. You can see it when you run the installer and the UAC prompt appears. The UAC prompt shows "Verified Publisher: FlexSim Software Products, Inc." if the file has not been tampered with:

You can press the Show details button to look more closely at the digital certificate that it is signed with. Our installers are signed with a Symantec Class 3 Extended Validation Code Signing certificate.

If the file has been tampered with, then Windows will show "Publisher: Unknown" instead of our verified publisher name:

Also, if you are using Windows 8 or later, the Microsoft SmartScreen will appear and warn you if the installer has been tampered with, even if it has been signed by an untrustworthy actor (such as someone signing it locally with a faked publisher name).

· 1
5 |100000

Up to 12 attachments (including images) can be used with a maximum of 23.8 MiB each and 47.7 MiB total.

Jon Abbott avatar image Jon Abbott commented ·

Great, that is good to know. Thanks. I didn't realize it would show "Unknown" as the publisher if the file was tampered with.

0 Likes 0 ·
Jon Abbott avatar image
0 Likes"
Jon Abbott commented

Hi @phil.bobo, I just downloaded the 64-bit .msi version of FlexSim 19.0.2 and it is saying the publisher is unknown. Please see the image below. I downloaded the file twice to confirm that it wasn't a result of file corruption while downloading. Are the latest .msi versions of FlexSim still being digitally signed?

· 4
5 |100000

Up to 12 attachments (including images) can be used with a maximum of 23.8 MiB each and 47.7 MiB total.

Phil BoBo avatar image Phil BoBo ♦♦ commented ·

Thanks for pointing this out. This was a bug introduced in our build process between 19.0.0 and 19.0.1. The script that signs the msi files had a problem with the directory path so it wasn't signing them.

I've fixed the issue with the build process.

I will sign the 19.0.2 msi files and re-upload them. I'll comment back here once they are ready to download.

0 Likes 0 ·
Jon Abbott avatar image Jon Abbott Phil BoBo ♦♦ commented ·

Thank you for the update, Phil. For now, I downloaded and used the .exe installer which doesn't appear to be affected by this issue.

0 Likes 0 ·
Phil BoBo avatar image Phil BoBo ♦♦ Jon Abbott commented ·

Yeah, the exe and the msi files embedded in the exe should have been signed just fine.

I've now signed the 19.0.2 msi files on the website. If you download them again, they should be signed properly.

Thanks again for bringing this to our attention.

0 Likes 0 ·
Show more comments

Write a Comment

Up to 12 attachments (including images) can be used with a maximum of 23.8 MiB each and 47.7 MiB total.

Your Opinion Counts

Share your great idea, or help out by voting for other people's ideas.

Related Ideas