Unsigned Installer

Hi there,

Why is the 1Password Windows installer unsigned? For a security product company, I would expect to see the installer signed with a valid cert that I can follow the chain up on.

Thanks,
Jim

Comments

  • edited May 2013

    Our installed is not unsigned. It is signed by AgileBits, Inc.

    https://www.dropbox.com/sh/lrvyp5gewevt4dm/SrFc7nNBi4

  • The Windows UAC prompt was the "Yellow" bannered one that indicates that it is not signed. I got it from the dialog that prompted that a new version was now available. Is that not what you expect?

  • I have no idea why some users are seeing this, but we do sign all our binaries.

  • Does your signing cert chain up to a valid, trusted CA?

  • khadkhad Social Choreographer

    Team Member

    Is this not what you are seeing? Where exactly did you download the installer from?

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @Honger,

    I still don't have an answer for you. I do want to thank you for paying attention to this. The relevant digital signature is an important part of knowing that you really are getting a genuine copy of 1Password from us.

    You aren't the only person seeing this. In fact, that just happened to me. I'm using Windows 8, running under VMWare Fusion, and the download was from the updater within 1Password itself.

    Did you use the "Check for updates" within 1Password or did you fetch a copy from our website. Also what version of Windows are you running?

    I'll try to experiment more, but there is something up with VMWare Fusion that makes bad things happen to my Mac after I've fired it up, so I'm not sure how much testing I'll be able to do. Anyway, this is what I've been seeing:

    Anyway, if you did this from within our updater please try fetching directly from the our downloads page and see if that makes a difference.

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • I got the above yellow bannered dialog when I was prompted to download the latest update. Normally, I don't do this (typically, I manually obtain updates from the website), but for whatever reason this time I decided just to download the update from the prompt.

    I just now started up 1Password and manually checked for updates. The UAC dialog was the expected blue-green bannered dialog of a signed installer. I am using Win7 SP1 (x64). I went out to the temp directory and noticed today's version has a slightly different version number associated with it. Since yesterday's installer was also there, I ran it straight from the temp directory and got the blue-green banner dialog.

    I can tell you that it SHOULD NOT matter what path I'm fetching the installer from since Windows is calling WinVerifyTrust on the installer package to check the signature, but there's clearly something going on here. Possible they introduced a bug in UAC during Win7 in certain download scenarios.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    @Honger wrote:

    I can tell you that it SHOULD NOT matter what path I'm fetching the installer from

    Yes. You are absolutely correct. The reason that I asked was in the hope of narrowing down the problem. I wasn't suggesting, "oh, fetch it from X".

    So far, only a small number of people have seen this problem. So I'm trying to figure out what makes us different from the others. If we've got a bug in our build and distribute process, we need to figure out what it is.

    Windows is calling WinVerifyTrust on the installer package to check the signature, but there's clearly something going on here. Possible they introduced a bug in UAC during Win7 in certain download scenarios.

    I tested by downloading the 1Password installer in exactly the same way that I downloaded the Firefox installer, but I only saw this issue with 1Password. In all likelihood, there is just some bug and the versions that got pushed to some nodes in the CDN we use were unsigned. But just because "in all likelihood" it's an innocent problem, we have to strongly advice people to not run unsigned installers for 1Password.

    Cheers,

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • That's the thing, though. The installer I downloaded last night produced a different result when I double-clicked it from the %temp% directory versus running the installer straight from the download process. So the installer looks like it was signed, but somehow the signature check failed.

  • In all likelihood, there is just some bug and the versions that got pushed to some nodes in the CDN we use were unsigned.

    I don't think so. We do sign all our binaries. None of the installers that we pushed were unsigned. Why the UAC comes up yellow (unsigned) is a mystery to me.

    @honger are you saying the UAC came up yellow (unsigned) the other day, and now it comes up blue (signed) for the exact same bits?

  • Yes, that's what I'm saying. Except I launched those bits from the TEMP directory not from the download process.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Stefan, if there is a bug in our process it would be after signing and pushing to the CDN. But there might be a problem on the CDN.

    However, the fact that this is only showing up for a small number of people and then it seems to on whether the installer is manually launched from the temporary download directory does suggest that this involves a some subtle Windows thing. That at least is reassuring in that it reduces the (already unlikely) possibility that bogus copies of 1Password were being distributed.

    Cheers,

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • I have more data. On a different PC, I got the prompt and downloaded the update. I got the Yellow banner and did NOT install it. I then went to the %TEMP% directory and double-clicked the download package. I still go the Yellow banner UAC dialog.

    I then went to your site and downloaded the package from there. The difference was that I got the "Mark of the Web" dialog first and told the OS to run the package. I got the Blue-Green UAC prompt at that point. Same version number on the package.

  • edited June 2013

    @honger thanks for the research. the automatic updater and the download on our site are the same bits, by the way.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    I haven't had access to a Windows system for the past two months, so I haven't been paying attention to these sorts of issues. Did we ever figure out what was going on?

This discussion has been closed.