macOS packages and Windows MSIs are not signed

Opened by Florian Gilcher at 2024-09-17 18:30:36

This possibly applies to other platforms as well.

Currently, the Rust installer comes up with this nice warning, making the user navigate to a settings pane and acknowledge to really start the installer. Administrators can also decide to completely deactivate this.

I think at least the official installers of Rust should be signed using an Apple Developer Certificate.

This possibly applies to other platforms as well.

All our releases and their checksums, including OS X ones, are signed with PGP signature already.

I’m not disagreeing they could also be signed using whatever method Apple for their OSes, but I'm not convinced $100/$300 is a fair price for getting rid of this dialog. OTOH we probably could piggy back on the same account used to generate signatures for Firefox.
Simonas Kazlauskas at 2015-08-12 13:28:30
@nagisa If that is your issue, point me to a form where I can chip in 100$ yearly. Either we want to supply installers for their platform and then do it proper or we should just ship tarballs.
Florian Gilcher at 2015-08-12 13:32:38
I think the same is true for the windows installer.
<img width="303" alt="windows unsigned" src="https://cloud.githubusercontent.com/assets/47542/9330292/a8c4a3a0-45b8-11e5-852b-2ccaed2df98c.PNG">
(Code signing certs for windows cost > $300 upwards, FWIW)
Florian Gilcher at 2015-08-18 12:52:49
cc @edunham

Seems totally fixable in the infinite expanse of time.
Brian Anderson at 2015-08-27 14:55:06
I would be willing to invest time on building the signing tooling, but obviously can't help with certificate handling.
Florian Gilcher at 2015-08-27 15:55:21
Note that on Windows 8 and later (or, at least, Windows 8.1), Windows Safescreen makes it look like it is impossible to run the installer, and so the installation experience is terrible all around. Especially with the new MSVC port reaching Stable, it would be great to have a Good OOBE on Windows, at least for the Stable releases.
Brian Smith at 2015-10-24 02:41:20
I have the same problem on Chrome... <img width="945" alt="screen shot 2015-10-25 at 9 11 48 pm" src="https://cloud.githubusercontent.com/assets/538615/10721227/7839e936-7b5d-11e5-9a10-19a86acab26b.png">
Ray Toal at 2015-10-26 04:15:12
@rtoal Just in case: you can, in the meantime, go to "Systems Settings" -> "Security and Privacy" and click the appropriate button to still start the installation process.
Florian Gilcher at 2015-10-26 06:10:42
@brson this ticket needs A-windows as well, or should windows be split into a separate issue?
Florian Gilcher at 2015-10-26 06:11:53
@skade Thanks but I just used homebrew which also has 1.3.0. :)
Ray Toal at 2015-10-26 06:26:47
I'd like to bump this again, also, Servo has the same issue and cannot be easily run on OS X, as it is unsigned.
Florian Gilcher at 2016-07-01 07:21:49
OTOH we probably could piggy back on the same account used to generate signatures for Firefox.

I doubt this would be accepted by the Firefox people. You want your private keys locked down, having two projects with independent infrastructure share a key sounds like a bad idea. I think both Rust and Servo can get their own. Not sure if it should be the same one.
Manish Goregaokar at 2016-07-01 07:32:48
For reference, here's the issue for windows. https://github.com/rust-lang/rust/issues/25457
Florian Gilcher at 2016-07-01 09:35:25
Agree this is something we should solve soon.
Brian Anderson at 2016-07-01 18:08:57
@brson I don't think this has been solved for either macOS or Windows. Could you give an update on this?
Mark Rousskov at 2017-05-12 01:05:41
Triage: not aware of any changes here.
Steve Klabnik at 2019-03-16 14:49:25
All our releases and their checksums, including OS X ones, are signed with PGP signature already.

Not as if anyone on Windows is going to install gpg4win just to check the signatures. This should be a higher priority IMO.
Jasper Weiss at 2019-05-03 11:25:29
I'd like to bump this again, this - along with rustup-init.exe not being signed - is a substantial speed bump when using Rust on Windows. Windows 10 even hides the "Run anyways" button and makes it hard to find and shows a "Windows has protected your computer" message.

Can we also please remove the P-low label here, it is becoming more and more of an issue, the less we have a "hackers audience".
Florian Gilcher at 2019-11-23 10:36:23
See https://github.com/rust-lang/rustup/issues/1568 for updates, concerning rustup.
Florian Gilcher at 2019-11-23 11:15:49
Hello, Avast guy speaking here :smiley:

It's shown up that we as an antivirus company have also kinda problem with not-detecting Rust compilers.

The problem is that we need to have files that are signed by known-certificate and the signature is included in the file itself. Using the method required by macOS and Windows would also be good for us. Without that, we have a problem with non-detecting Rust compilers again and again when a new version is published - it'd have to be uploaded to us "manually" after every release. That's a valid solution, however, unpreferred.
To cite one of our malware analysts: The only signature that Avast (and Windows) is able to understand is pkcs7 signature.

Thanks for the great work and for solving this issue!
Jenda Kolena at 2020-04-17 13:21:20
We discussed this inside the infra team meeting, and we're going to start the technical work needed to ensure Rust packages are signed for Windows and macOS! Me and @Mark-Simulacrum are going to have a chat to think about an implementation plan soon.

Note that while we'll start the development work, actually turning it on in production will require the foundation to be up and running (to actually buy the certificates).
Pietro Albini at 2020-11-04 15:37:14
Is the progress on this issue being tracked anywhere?
Jared Moulton at 2021-03-11 22:14:14
@jrmoulton this issue is where progress will be tracked - if you haven't seen anything, it's because there (sadly) hasn't been any progress.
Aidan Hobson Sayers at 2021-06-08 09:53:37
Any updates on this issue? This is really necessary from a security POV
Asesh at 2024-04-12 16:30:36
Just started with Rust and ran into this—and this is somewhat a contradiction to the overall safety aspect of Rust itself. This thread is 9 years old. Others like NodeJS got their signing in place for macOS and this is really helpful.

Until then please provide at least shasum of the tarballs rather than a GPG signing which most people have to install software for to check the integrity.
Raphael at 2024-09-11 14:19:33
Hi, just wanted to drop that here, as the price of the code signing certificate was mentioned. At the SignPath Foundation (disclaimer: I work for SignPath.io), we provide free code signing for OSS projects. The certificate is issued to our foundation but can only be used to sign builds from the open source repository (we verify that technically). It would just require you to add a signing build step in your GitHub Actions workflows.
Paul Savoie at 2024-09-11 14:42:39
Hi, just wanted to drop that here, as the price of the code signing certificate was mentioned. At the SignPath Foundation (disclaimer: I work for SignPath.io), we provide free code signing for OSS projects. The certificate is issued to our foundation but can only be used to sign builds from the open source repository (we verify that technically). It would just require you to add a signing build step in your GitHub Actions workflows.

Maybe Rust files can now be digitally signed? It's 2024 and code signature is really necessary for security reasons!!
Asesh at 2024-09-17 17:11:38
Please refrain from bumping this issue with "I want this too" or "why hasn't this happened yet" or "any updated?" style comments.

This is the issue where this work is tracked. Any updates will be posted here. Whether or not this happens depends on the volunteers in the Rust project, especially the infra team, having time to prioritize and work on this.

Comments asking for things to speed up are not helpful and do not do anything to move the needle.
Manish Goregaokar at 2024-09-17 18:30:36