Welcome to our community!

OnPrem Signing Certificate

Avatar
Andrew Aldridge
  • updated
  • Open

I'm trying to start a thread for us to discuss the latest bombshell that we have 6 days to provide our own code signing certificates, my previous attempt is "Awaiting Moderation" which may just be because I included a URL in the post?

While it feels very much like a final attempt to kill off the on-prem user base, there's no real benefit discussing that other than venting so I'm looking to see if anyone's research so far as turned up an affordable way of acquiring code signing certificates.

The likes of DigiCert, SSL etc seem to come out at several hundred $/year in the first year, possibly dropping from there once you own a suitable storage method for the certificate.

Azure Trusted Signing looked promising for a while at a few $ a month - but is currently only available to USA and Canada based businesses, so rules out the rest of us.

Does anyone have any other sources?

Thanks
Andrew

Replies 81
Avatar
0
Badges

Oh, boy! Found out that running in their cloud will not sign the installer either. WTF!

Avatar
0
amccabe Team Member
Quote from Brad Hunt

So a dumb question here, what happens if we do NOT upgrade to this new version with the new cert requirements?  Our current version (with customizations) will work but it will just show as unsigned and unsecure?

Pretty much, though it's not that it's unsigned but rather that it's signed with a certificate that's been revoked.

Avatar
0
omnichad
Quote from amccabe

Pretty much, though it's not that it's unsigned but rather that it's signed with a certificate that's been revoked.

Correct.  Updating and being unsigned is likely to be an improvement over being signed with a revoked cert.  Although definitely not good.

Avatar
0
amccabe Team Member
Quote from MTHT

You still clearly don't understand the concern. YOU built the signing module, which is installed locally, and have not release the code so how can I verify what or how is being signed or stored within that signed package? Where the certificate is stored is irrelevant when you still control the method for signing. What is to prevent a bad actor, either a ConnectWise staff or 3rd party, from pushing a update to the signing module and having it sign a malicious package. 

Sure, you can say what is to prevent someone changing the host client to deploy ransomware when downloaded but again if its signed by ConnectWise then that issue fall on YOU to ensure that does not happen by securing your product. If I am signing then that issue falls on ME and my reputation and code signing certificate are at risk. And again I have no ability to audit YOUR code or the process.

If you want people to put their business at risk then you need to provide the code so that it can be independently verified. Otherwise your just asking for blind trust which has been lost after the last few issues.

Ah, OK; that makes sense.

I guess the conflict here is that it's all the same code, so it makes sense for us to sign that to verify that it's our code and not malicious, but if we use the same certificate to sign the clients for every installation of ScreenConnect, then it's hard to block malicious installations without affecting legitimate ones (which I believe is a big part of why our certificate is being revoked this time around).

There's potentially a way to work around that conflict, but given the time constraints here, our focus was on minimizing the chance that this happens a third time.

Avatar
3
eNet

Having my ondemand support customers download, unzip, and run the ScreenConnect Client exe file is not a one-click support support feature. Having to spend $300+ for a year of code signing certificate, for me to sign ConnectWise's code, is not a reasonable expectation. I'm the customer. I'm paying ConnectWise for a complete remote support program, and that is not what is being provided with this latest update.

Avatar
1
Brad Hunt
Quote from omnichad

Correct.  Updating and being unsigned is likely to be an improvement over being signed with a revoked cert.  Although definitely not good.

Well, both options are not good but one still has all of the customizations in it and does not have the English only connection splash page.  Glad to know it will still work, that gives me further out than MONDAY to find another solution and implement it.

Avatar
2
scremote
Quote from omnichad

Even with the information given so far, I literally don't know what to do. I want to spend as little as possible knowing I may be looking for alternatives, so no 3 year certificate. 


I'm a sole proprietor with no employees. I cannot tell from anywhere whether I can even get a compatible certificate. Would I be able to use my business name or do I have to use my first and last name as the legal entity?  

This is ignoring the complexity of setting up azure, which I don't think has any requirements. No clue why their add-on can't just support a physical hardware key (ignoring the time it takes to get here). 


It sounds like it has to be Digicert regardless of reseller and can be either OV or EV but I'm not sure of even that.

I hear ya.

Pretty much in same boat.

There are many "questionables" about this situation.


a hardware key would be nice.

supplied by Connectwise.

Avatar
0
scremote
Wow. What a mess.
(for everyone)

I am not in need of code signing and web certs can be a pain on their own at times when dealing across systems to implement. Not sure what to expect of this.

Azure's certificate store requires a signup subscription and has annual, monthly and variable fees (something about connections). Costs appear low overall but it depends on the details, particularly for "connections". (apologies if their actual term is different - was only a quick look).

Of the code signing options offered as options...

The code signing cert for DigiCert starts at $50usd/month or $600usd/year or (ouch).

SSL offers a lower cost ($129usd/year) option but has "signing" limits and seems to mention additional $15usd/month + depending on "signings". That sounds a lot like another variable cost - signed per client for instance? (access + support sessions)? Lowest option would work out to be $309usd annual but more depending on "signings". 3-5 days processing as well after they have all your info (prob business days).

And also there is the issue (and cost) of certificate renewals and implementation at whatever renewal term you are on.

Far too much to work out in this time period. Even if most variables and details are clear to some - and costs willingly absorbed - it is likely doable only by a few and burns any budget for cost recovery.



I actually do believe ScreenConnect is trying their best to handle this well - but it is a bad situation that they probably should have been onto LONG ago.

Avatar
0
scremote

And, as per other comments, what does customization have to do with all of this? 


(I do believe Screenconnect mentioned this was a quick fix and will be looking at restoring some customization in the future)


But if I have a customized client installer that is signed, what's the diff if it is customized with a JPG or two? Is that not, in a very small sense, more secure as it is unique installer AND signed?

Avatar
1
Wardrop

The main question I have is, what is the recommended action if a code signing certificate cannot be acquired or implemented by July 7th? Should we update ScreenConnect, or stay on the previous latest version? Can anyone at ScreenConnect confirm that if we upgrade without a cert that everything will still work, except for potentially running into warnings and Windows SmartScreen issues, etc?

I just need to know if we'll be able to install the agent still, AND whether all existing agents will continue to work. If somebody could provide clarity on that then at least we can plan our course of action and prioritise what we need to do.

I don't think ConnectWise could have handled the communication of this any worse to be honest.



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar