oh-my-posh / Tickets / #767 The installer posh-windows-386.exe is flagged as a threat. Request to establish authenticode signature.

#767 The installer posh-windows-386.exe is flagged as a threat. Request to establish authenticode signature.

Status: open

Owner: nobody

Labels: wip (1) feat (2)

Updated: 2022-06-13

Created: 2021-05-31

Creator: Anonymous

Private: No

Originally created by: romanrozinov

Prerequisites

I have read and understand the CONTRIBUTING guide
I looked for duplicate issues before submitting this one

Description

As part of the rollout attempt of oh-my-posh to the development team, it is detected as a threat by SentinelOne software. Vendor's response is that increasing reputation score would help by singing the executable with Microsoft's Autneticode technology, see SignTool.

Hence the request for enhancement to establish the signature for the installation executable, as opposed to relying on static hashes every release.

Environment

Oh my Posh version: v3.159.0
Theme: N/A
Operating System: Windows 10
Shell: Poweshell
Terminal: Windows Terminal

Optional

posh-git version: v1.0.0-beta4
git version: version 2.31.1.windows.1

Steps to Reproduce

Install-Module oh-my-posh -Force

Expected behavior: [What you expected to happen]

Installation should be successful.

Actual behavior: [What actually happened]

Installation is aborted due to antivirus flagging the executable.

Discussion

Anonymous - 2021-05-31

Originally posted by: romanrozinov

I am aware of [#708] but this issue is related to psm1 install script itself which i believe should also be signed, if not already, to allow greater adoption in enterprise environments.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2021-05-31

Originally posted by: JanDeDobbeleer

We've talked about code signing before but the certificates are way too expensive for a project such as this. So, unless you can add an exclusion in Sentinel (that should be possible though on company level), or we find a sponsor for said certificate, there's not much we can do for the time being.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2021-05-31

Originally posted by: JanDeDobbeleer

@romanrozinov missed your second comment. I'm curious, what happens when you use scoop/winget to install the oh-my-posh executable? Because the module is simply a wrapper for that anyways.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2021-06-12

Originally posted by: mcroach

Possible solution to this eventually may be https://sigstore.dev/ managed by the Linux Foundation. In its current form it appears to support signing of Linux/Windows executables. Not sure if in its current form it could also be used to sign powershell modules or if that might be a future option.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2021-06-12

Originally posted by: JanDeDobbeleer

@mcroach yup, it was hinted before. Waiting on it to come to life. In theory, having the executable signed should be sufficient.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2021-07-06

Originally posted by: sjetha

This Twitter thread has some suggestions: https://twitter.com/mehedih_/status/1411969294724968449?s=21

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

The installer posh-windows-386.exe is flagged as a threat. Request to...

A prompt theme engine for any shell.

Milestone

Searches

Help