Login Page - Create Account

Support Board


Date/Time: Thu, 28 Mar 2024 14:52:55 +0000



[User Discussion] - The installation-package is not digitally signed.

View Count: 571

[2022-09-17 17:46:59]
User408639 - Posts: 53
Moin Moin.
Neither "https://download2.sierrachart.com/downloads/SierraChartFileDownloader.exe" nor "https://www.sierrachart.com/downloads/ZipFiles/SierraChart2439.zip" are digitally signed.
As the download "https://download2.sierrachart.com/downloads/SierraChartFileDownloader.exe" does yield an error, I do not even know, who created the download.
Can You, please sign the downloader as well as any of its files.

    Tschüß,
      Michael.
P.S.: On the other hand, "Notepad++" included in Your download is signed.:
If I download "https://www.sierrachart.com/downloads/ZipFiles/SierraChart2439.zip", unpack it, and check the files in it, I find that "SierraChart2439\NPP\notepad++.exe" is digitally signed.:
1. Right click on it,
2. click on properties,
3. select the "digital signatures"-tab,
4. double click the "Notepad++ sha1 ‎Wednesday, ‎4. ‎December ‎2019 02:43:16 Uhr"-signature, and it is verified.
[2022-09-30 10:27:11]
User408639 - Posts: 53
P.S.: Using it in a VM I saw, that You did sign Your Exes, just not Your downloader.
Can You, please, sign it as well.
Setting the environment-variable "clr_SQL_DLLen_Zertifikatsfingerabdruck" to Your certificate's thumbprint "52352d23a607539180f16591bb34c1230c1f7c9f" You can just use in Your Visual-Studio-Postbuild-Step.:
powershell -command "Unterschreibe-Assembly -Datenkarteienname \"$(Targetpath)\" -Verbose|ft -autosize"
________________________________________________________________________________________
filter Unterschreibe-Assembly `
{
<#
.Synopsis
Signiert eine Assembly mit $sha1_Schluessel=$env:clr_SQL_DLLen_Zertifikatsfingerabdruck.
.Description
Signiert die Assembly $Datenkarteienname mit dem Schlüssel zu dem Fingerabrucke $sha1_Schluessel=$env:clr_SQL_DLLen_Zertifikatsfingerabdruck sowie dem Timestampserver $Zeitendiener.
.Parameter Zeitendiener
Der Timestampserver des Zertifkates.
.Parameter Datenkarteienname
Der Pfad der zu signierenden Assembly .
.Parameter sha1_Schluessel
Der Fingerabdruck des signierenden Zertifikate's .
.Example
powershell -command "Unterschreibe-Assembly -Datenkarteienname \"$(Targetpath)\" -Verbose|ft -autosize"
#>
[cmdletbinding(SupportsShouldProcess=$true)
  ]param( [Parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)][string]$Datenkarteienname
     ,[string]$Zeitendiener="http://timestamp.digicert.com",[string]$sha1_Schluessel=$env:clr_SQL_DLLen_Zertifikatsfingerabdruck,[string]$Signaturenalgorithmus="sha512"
     ,[string[]]$Signaturenverzeichnisse=("cert:\currentuser\my","cert:\LocalMachine\my"),[switch]$Kurz  ###@@@"http://timestamp.verisign.com/scripts/timstamp.dll" ergibt keine verwendbaren Zeitenstempel mehr.:  Michael Soliman.:  2019-08-04T18:29:55.5046751+02:00.  
     );$Befehlchensname="Unterschreibe-Assembly"
  $PSB=$PSBoundParameters #@@@Diese Zuweisung ermöglicht das ("$PSBoundParameters")-Wertedebugging.  
  if($PSB["Verbose"]){$v=$true}else{$v=$false}
  if($PSB["Kurz"   ]){$K=$true}else{$K=$false}
  #Write-Host "Verbose=$($v),Kurz=$($Kurz)." -ForegroundColor DarkRed -BackgroundColor DarkYellow
  Write-Verbose ($Jetztmeldung="$Befehlchensname.: `$Jetzt=$(($Jetzt=$([Datetime]::Now.ToString("o")))),`$Datenkarteienname=`"$Datenkarteienname`".")  -Verbose:($v)
  $Zertifikat=(dir -recurse $Signaturenverzeichnisse|where{(($_.Thumbprint-eq"$sha1_Schluessel")-and($_.PSParentPath-ilike"*\My"))})|select -first 1; #|ft -AutoSize -Wrap [0]
  #Write-Host "Zertifikat=$($Zertifikat)." -ForegroundColor DarkGreen -BackgroundColor DarkYellow
   if(   $v){Write-Host "`$Jetztmeldung=$Jetztmeldung,`$Zeitendiener=`"$Zeitendiener`"." -ForegroundColor DarkRed -BackgroundColor DarkYellow} #|ft -AutoSize -Wrap   #,`$Zertifikat=$Zertifikat
   $Signaturen=Set-AuthenticodeSignature -FilePath $Datenkarteienname -Cert $Zertifikat -TimestampServer $Zeitendiener -HashAlgorithm $Signaturenalgorithmus -IncludeChain All -Verbose:($v) -ErrorAction Continue #|-HashAlgorithm:"SHA256"ft -AutoSize -Wrap try{}catch[System.Exception]{Write-Host $error}Source
   if(-not$K){$Signaturen}else{$Signaturen|ä @{name="Thumbprint";expression={$_.SignerCertificate.Thumbprint}},Status,Path} #|ft -AutoSize -Wrap
}
[2022-10-28 07:44:02]
User408639 - Posts: 53
Moin Moin.
Excuse my late answer, please, .

I just downloaded "https://download2.sierrachart.com/downloads/SierraChartFileDownloader.exe", again, and it is still not digitally signed (right-clicking the exe, and selecting" properties" there is no "digital signatures"-tab).
So, from my point of view it is only marginally trusted, as we have to trust the upload to the https-site.
Anyone hacking it can "amend" it by any malware he/she/it likes.

The downloaded files are somewhat signed, because the three most important ones are not signed.:
1. "C:\SierraChart\SierraChart.exe"
2. "C:\SierraChart\SierraChartFileDownloader.exe"
3. "C:\SierraChart\Data\UserContributedStudies_64.dll"

So, this is a major security-problem (for a software with "banking"/"trading"-permissions, if You ask me, everything needs a signature).

_Tschüß,
__Michael.

To post a message in this thread, you need to log in with your Sierra Chart account:

Login

Login Page - Create Account