I would like to suggest posting cryptographic hashes alongside installer download links to ensure installer integrity and authenticity. I would recommend SHA-2 or newer, as earlier hash functions have collisions or other known issues. It would also be useful to sign the cryptographic hashes with digital signatures to ensure that the hashes have not been tampered with. Thanks for considering my suggestion.
The FlexSim installer is already digitally signed and ships with the digital certificate that Windows verifies. You can see it when you run the installer and the UAC prompt appears. The UAC prompt shows "Verified Publisher: FlexSim Software Products, Inc." if the file has not been tampered with:
You can press the Show details button to look more closely at the digital certificate that it is signed with. Our installers are signed with a Symantec Class 3 Extended Validation Code Signing certificate.
If the file has been tampered with, then Windows will show "Publisher: Unknown" instead of our verified publisher name:
Also, if you are using Windows 8 or later, the Microsoft SmartScreen will appear and warn you if the installer has been tampered with, even if it has been signed by an untrustworthy actor (such as someone signing it locally with a faked publisher name).
Great, that is good to know. Thanks. I didn't realize it would show "Unknown" as the publisher if the file was tampered with.
Hi @phil.bobo, I just downloaded the 64-bit .msi version of FlexSim 19.0.2 and it is saying the publisher is unknown. Please see the image below. I downloaded the file twice to confirm that it wasn't a result of file corruption while downloading. Are the latest .msi versions of FlexSim still being digitally signed?
Thanks for pointing this out. This was a bug introduced in our build process between 19.0.0 and 19.0.1. The script that signs the msi files had a problem with the directory path so it wasn't signing them.
I've fixed the issue with the build process.
I will sign the 19.0.2 msi files and re-upload them. I'll comment back here once they are ready to download.
Thank you for the update, Phil. For now, I downloaded and used the .exe installer which doesn't appear to be affected by this issue.
Yeah, the exe and the msi files embedded in the exe should have been signed just fine.
I've now signed the 19.0.2 msi files on the website. If you download them again, they should be signed properly.
Thanks again for bringing this to our attention.
FlexSim can help you understand and improve any system or process. Transform your existing data into accurate predictions.
FlexSim is a fully 3D simulation software environment. FlexSim can be used to simulate any process in any industry.
FlexSim®, FlexSim Healthcare™, Problem Solved.®, the FlexSim logo, the FlexSim X-mark, and the FlexSim Healthcare logo with stylized Caduceus mark are trademarks of FlexSim Software Products, Inc. All rights reserved.
