Welcome to our community!

OnPrem Signing Certificate

Avatar
Andrew Aldridge
  • updated
  • Open

I'm trying to start a thread for us to discuss the latest bombshell that we have 6 days to provide our own code signing certificates, my previous attempt is "Awaiting Moderation" which may just be because I included a URL in the post?

While it feels very much like a final attempt to kill off the on-prem user base, there's no real benefit discussing that other than venting so I'm looking to see if anyone's research so far as turned up an affordable way of acquiring code signing certificates.

The likes of DigiCert, SSL etc seem to come out at several hundred $/year in the first year, possibly dropping from there once you own a suitable storage method for the certificate.

Azure Trusted Signing looked promising for a while at a few $ a month - but is currently only available to USA and Canada based businesses, so rules out the rest of us.

Does anyone have any other sources?

Thanks
Andrew

Replies 81
Avatar
2
Badges

I received this from support.....

Thanks for reaching out with your question on upcoming ScreenConnect changes. I'll be happy to assist.

I understand there may be some confusion regarding the recent communication about changes to the code signing certificate process for On-Prem ScreenConnect instances.

To help clarify these changes and provide relevant details, we encourage you to attend the upcoming Town Hall event, scheduled for July 2nd at 12:00 PM Eastern Time. During this session, our keynote speakers will outline the updates and answer questions related to the new process. Official documentation will be released following this Town Hall meeting.

If you still have questions after the event, we’ll be happy to work with you directly to address any remaining concerns once the full details have been shared.

Please register here to attend the Town Hall:

Note: This session will not be recorded, as the information presented may be subject to change.

Defer, delay and dawdle

Avatar
4
luc igert

And the CA say: You have to pass Business Validation in order to get Cloud Code Signing. That may take 2-6 working days. So.. greaat planning and communication Connectwise, once more! And surely beeing able to change the background of the Screenconnect Website was a HUGE security threat... This is what happens when the salesman gets in charge and the technical teams goes in the background: Products become worse and worse, customers get forced to go to the cloud, and eventually customers leave...Someone better think twice if this long term strategy is a good idea for Connectwise. We are long standing customers, but I don't know how much more of this sour soup we can eat.

Avatar
1
Andrew Aldridge

Yes not being able to customise our own servers background image on the landing page really seems odd, how the heck is that linked in anyway to client customisation security risks, it's not linked to code signing in anyway at all.

Avatar
3
stephan

Please provide the possibility of signing a static installer which already includes customizations like the relay server url but don't add session specific tokens or cryptographic material. This would give us the chance to sign the client with a certificate residing in an physical HSM module.

I don't mind when all of our customers would download the same client and have to enter the session code after the client gets executed. This would eliminate the nescessity of having the signature process running for each session.

Avatar
1
romain jamin

Hi everyone,


I’d like to raise another important point related to this change: the removal of the option to customize the name of the generated executable.

Until now, we used this feature to define specific antivirus/EDR exclusions for our clients. It was a simple and effective way to avoid false positives while maintaining control over deployments.

Now that this customization is no longer possible, it creates a real operational issue for MSPs like us—especially in environments with strict security policies.

Has anyone found a workaround or an alternative approach to deal with this new limitation?

Thanks in advance for your feedback.

Avatar
1
stephan

> Now that this customization is no longer possible, it creates a real
> operational issue for MSPs like us—especially in environments with
> strict security policies.

maybe you can validate against your own code signing signature. Would be the better approach and more secure then just relying on naming conventions.

Avatar
0
Andrew Aldridge

Is anyone able to confirm my belief that this code signing has no effect on the Mac or Linux clients, only Windows?

Avatar
2
MTHT

For those considering staying with ScreenConnect, you might want to speak with your security auditors as ours has strongly recommending we move to another platform. 

They stated "If ScreenConnect can sign using your certificate, what prevents them, or an attacker that is able to compromise their software, from signing anything they want using your certificate."

We have already spoken to other providers and to clients who host their own instances and will not be renewing with ScreenConnect and are establishing a plan to being migrating our instance and client instances to a new platform within the next 30 days.

We know this day would come after the purchase of ScreenConnect but didn't expect it to come in this fashion or with this short of a timeline.

Good luck to all those who remain!

Avatar
0
stephan
Quote from MTHT

For those considering staying with ScreenConnect, you might want to speak with your security auditors as ours has strongly recommending we move to another platform. 

They stated "If ScreenConnect can sign using your certificate, what prevents them, or an attacker that is able to compromise their software, from signing anything they want using your certificate."

We have already spoken to other providers and to clients who host their own instances and will not be renewing with ScreenConnect and are establishing a plan to being migrating our instance and client instances to a new platform within the next 30 days.

We know this day would come after the purchase of ScreenConnect but didn't expect it to come in this fashion or with this short of a timeline.

Good luck to all those who remain!

that's actually a good point. Moving EV code certificates to HSM modules has been done in order to reduce the risk of misusage. An online available support platform being able to sign arbitrary files (on the fly) is an awkward security situation.

Again I think session specific settings should not be included in the signed client but supplied by the user after executing the client application (as many other vendors of remote support software are doing as well).

Avatar
1
Nathan Oldfield

ummm...  what email did you get?  I have not seen anything about this, running SC on prem.  what was the subject?  I'll go hunting for it.

Thanks



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar