Ubuntu

wubi and umenu executables are not signed with a code signing certificate

Bug #204834 reported by leon breedt
2
Affects Status Importance Assigned to Milestone
Wubi
Fix Released
Low
Evan
Wubi 9.04
Ubuntu
Invalid
Undecided
Unassigned

Bug Description

When executing the wubi or umenu executables on Windows Vista with UAC enabled, the untrusted UAC prompt is displayed.

This occurs because these executables are not signed by a code signing certificate, or the certificate is not issued by an authority in the "Trusted Root Certification Authorities" local machine (NOT user) certificate store.

It may be worth considering using a code signing certificate from VeriSign or Thawte to perform timestamped Authenticode signing of these executables, this appears more professional to consumers using Vista.

I've attached a screenshot of what the two variants of the dialogs look like. The dialog on the right was obtained by signing a copy of wubi.exe with a self-signed certificate that I generated for testing purposes.

Revision history for this message
leon breedt (bitserf+bugzilla) wrote :
Agostino Russo (ago)
Changed in wubi:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
leon breedt (bitserf+bugzilla) wrote :

The signing was performed by running signtool.exe (command-line pre-supposes an installed version of the .NET Framework SDK):

"$(FrameworkSDKDir)bin\signtool.exe" sign /f X:\TestCodeSigningCertificate.pfx /v wubi.exe

Agostino Russo (ago)
Changed in wubi:
assignee: nobody → ago
milestone: none → 9.04
Revision history for this message
Colin Watson (cjwatson) wrote :

I've filed a ticket with Canonical's sysadmins requesting this.

Revision history for this message
Agostino Russo (ago) wrote :

<xivulon> hi all, is a code signing certificate available for ubuntu? bug #204834
<ubottu> Launchpad bug 204834 in wubi "wubi and umenu executables are not signed with a code signing certificate" [Low,Confirmed] https://launchpad.net/bugs/204834
* apw (<email address hidden>) has joined #ubuntu-release
<cjwatson> xivulon: not to my knowledge ...
<cjwatson> elmo: ^- is this the sort of thing that IS can conceivably handle, since you already do SSL certificate stuff?
<elmo> cjwatson: I guess, yeah
<cjwatson> should I file an RT for it?
<elmo> please
<cjwatson> ok, filed
<cjwatson> thanks
<xivulon> thanks
<xivulon> by the way I do not think it is something I can handle on my side, I guess it will be evand that will have to run the signing program before uploading the build

Changed in wubi:
assignee: ago → evand
Revision history for this message
Agostino Russo (ago) wrote :

Evan now has a signed version of wubi ready, although it is uncertain whether it will be available on the CD

Changed in wubi:
status: Confirmed → Fix Released
Agostino Russo (ago)
Changed in wubi:
status: Fix Released → Fix Committed
Revision history for this message
Agostino Russo (ago) wrote :

The stable link still points to the unsigned version. By the way tested and seems fine to me, although a generic app icon is used in the dialog.

Revision history for this message
Evan (ev) wrote :

The stable symlink for 9.04 is static. We're not going to re-roll CDs as it's not an LTS, so updating it does not make sense.

As our current workflow requires someone from IS to sign the executable for us (for security reasons) I am keen to avoid signing it until we are at the 9.10 Release Candidate.

Evan (ev)
Changed in wubi:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.