New test agents (for WMIC issue) and code signing

[PathfinderNetworks]

I'd like to try the new test agents on one of my MeshCentral servers. I have my own code signing certificate and use the built-in agent code signing functionality of MeshCentral to sign my agents with that certificate. But it's been quite a while since I set that up and have looked at it (summer of 2022). Can anyone give me a refresher on the automatic signing of the agents and how I can implement that with the test agents? I know I was in contact with Ylian back then to get this done but can't recall if I followed one of his blog posts, YouTube videos, or if it was a Github discussion to get it working.

[PathfinderNetworks]

I was able to figure this out this weekend. If anyone is wanting to try this it's pretty simple (assuming you already have your own code signing certificate and have MeshCentral configured to automatically sign your agents with this certificate).
All you need to do is replace the default agent files under \MeshCentral\node_modules\meshcentral\agents with the 'test' agents from \MeshCentral\node_modules\meshcentral\agents\test_agents

Obviously you'll want to back up the original agents first (I just backed up the entire 'agents' folder). Once you have the 'test' agents in place you just restart MeshCentral. It will then pull those agents from the \MeshCentral\node_modules\meshcentral\agents folder, sign them, and then place the signed agents in the \MeshCentral\meshcentral-data\signedagents folder.

I would suggest setting your MeshCentral server to not automatically update the agents installed on your devices by adding/setting the "noAgentUpdate" setting to 1 . This line is entered under 'settings' and is formatted as "noAgentUpdate": 1, I added this line directly above the 'SelfUpdate' section just so I could find it easier (if you are using a config.json that has all the available commands already present then this line would be around the 'compression' settings).

Once you are confident these test agents are working properly then you could set that 'noAgentUpdate" to 0 and then restart MeshCentral. It would then automatically update all the installed agents on all of your devices to these new versions. So keep that in mind and what ramifications that may have in your situation.

[NewUserfromDE]

Thanks for sharing your solution. :-)

Because of the cost for code signing certificate this is some kind of special topic, most admins don't know yet about. So your post is special, too. Maybe consider posting where you bought your code signing certificate, because besides cost also a lack of knowledge or best practices is preventing admins to do agent signing.

[PathfinderNetworks]

I have a Sectigo 3 year code signing cert (not an EV version, just standard). I bought it from ssl2buy.com almost 3 years ago. Back then it was very inexpensive- just $180 total for all three years ($60 per year). I will need to renew it this summer. But, unfortunately, the cost has DRAMATICALLY increased for code signing certs since then. The same 3 year cert is now almost 4x the cost- around $660 or so depending on reseller! Crazy.

[NewUserfromDE]

Many thanks!

[si458]

This is the problem I've also got in October this year 😞
Even worse I don't have a hardware key either and most places are charging $120 to have one posted with the code signing cert installed on it to me in the UK

[PathfinderNetworks]

The site I just posted (Certum) says they provide a hardware key with the open source certificate. Maybe someone can try it before you and I both need to go down this road? I have to do it by the end of June or so...

[PathfinderNetworks]

I do see at least one provider has a code signing certificate for open source use. https://shop.certum.eu/open-source-code-signing.html
I'll have to investigate much deeper in the coming months to see if it can be used with MeshCentral (I don't see why not). This is priced at $89.00USD per year. BTW, when you go to that site you can scroll all the way to the bottom of the page and there will be a 'Change language (currency) link in the footer to select what is appropriate for your location.

[PathfinderNetworks]

They do say this about the open source cert and the verification process: "website address of the ongoing Open Source project:
The project must be publicly available and indicate clearly the subscriber’s relationship with the project. If Certum is unable to identify the project based on publicly available information, the certificate will not be issued." So I wonder what they would want to see when looking at the GitHub for MeshCentral? Just being an active member of the project or what? I'm almost thinking they might only authorize it for Ylian as he is the project owner?

[si458]

i think @Ylianst had an open source one from them originally!
but he explained in the past he had it revoked once because the CA was unhappy with the fact the software become malicious
this was all due to bad actors and not ourselves!
and if i also remember he did say they gave him back a new one after proving all sorts of things

i will email them and try explain what we would like to do and see if tey are happy with it!

the other problem we have as someone else identified, if you have certain things enabled in registry,
we add extra values onto the exe at the end AFTER its been code-signed and windows machine see them as NOT SIGNED because of this
so we would have to relook into HOW we go about doing the embedding of settings etc again
as we cant just include the certificate and provate key in the repo, are you mad haha!

[PathfinderNetworks]

Thankfully I haven't had any issues with my code signing cert, mostly (I think) because I have the agents locked to my server and I'm the only one using the agents. That said, what you described in regards to the extra values is probably what causes Windows Smart Screen to still complain about it even though it is signed. That hasn't been an issue for me though as it will still install. Haven't had any antivirus apps (knock on wood) flag it since I've had it signed. That's really the main reason for signing it- to prevent AV apps from seeing it as malware.
I would love to hear what Certum has to say about who can get the Open Source cert if you are able to get a response from them.

[si458]

i still have issues with AVs flagging it even tho i code sign it, but i havent fully customised mine properly,
its called "company name" - "Mesh Agent" still
so this probably doesnt help!
i might speak to Certum and see if i can apply for the open source certificate,
as their help guide say the docs i need to prove/show i own/i relate to the project i want to code-sign
so that MIGHT be an issue, but next weeks problem to look into me thinks!
https://support.certum.eu/en/code-signing-required-documents/

The project must be publicly available and indicate clearly the subscriber’s relationship with the project.
If Certum is unable to identify the project based on publicly available information, the certificate will not be issued.

[NewUserfromDE]

Although it was the fault of bad actors the nature of MeshCentral with ability to self-host and being open source makes it easier to do so compared to the proprietary closed source competitors with cloud account and cloud login.

So I can understand the Certum fear and I don't know if it wise to make it possible again. Because I think if the answer from Certum is positive the new certificate would not be signed on one's name or one's company name but on the open source project. Great for scammers (if they get the signed exe, which I think will happen).

The original question was more where to find a new cheap code signing service. If there does not exist one I would more prefer what I tried to explain on one community meeting: sharing the costs by forming local associations where one has to register and pay to become a member. It would be cheaper than being alone and it would be more reputable since the agent certificate would name the local association. This would also be a great way to get donations for the project, if each local member association would donate a small fee (since one saved money) to the project.

Anyway, I'm curious if you get an answer and what it will be.

As PathfinderNetworks already said, the main reason are "only" AV scanners and all the professional or semi-professional MeshCentral admins don't want to scare their uses / clients.

[PathfinderNetworks]

The best pricing I'm finding for 'regular' code signing certs is about $129 per year when buying 3 years and $115 for the hardware token ($502USD total) from www.cheapsslsecurity.com That's slightly better but still a LOT more than they used to be!

[si458]

my only throught is to code-sign the agents our side, upload them to the repo signed, then you admins would get them signed, then when you download your customised version, it could still be code-signed by us, and then work
BUT
if we did that the people who have the secure windows environments with the code-signing checkers, it wouldnt work, because when they download it, the exe would not be code-signed because they check for extra data AFTER the code-sign which is how we customise the exe at the moment

this is where we would need to re-design/rethink the agent in how we store customised data/info

i was thinking like somebody else suggested the resources of an exe can store txt info which might be useful/helpful!
just alot of messing around/playing with is going to be required for this to work

[NewUserfromDE]

FYI: Research on Stackoverflow regarding Certum lead to a 2025 price list created by one user for code signing certificates, since he had the same problem to find a cheap certificate:

• https://gabrielmoraru.com/obtaining-cheap-ev-ov-certificates-singing-your-application/
• https://stackoverflow.com/a/58559506

[NewUserfromDE]

Notes for myself and for readers:

• The link from Parrish / PathfinderNetworks seems indeed to be the cheapest price. It's for a digicert standard certificate, but only when bought via cheapsslsecurity.com, it's much more when bought from digicert directly.
• The Certum certificate for open source projects are generated for the "Open Source Daveloper" name according to the site. It seems one can't use a company name. Also it's not a solution for every MeshCentral admin but only for open source developers who can be found publicly, e.g. via an GitHub profile with real name.
• Microsoft SmartScreen warnings only don't appear when using the expensive EV certificates. Otherwise one has to to wait weeks/months and for hundreds or thousands of users of the signed exe until it is flagged from Microsoft as safe. Microsoft acts here a a gate keeper with secret rules, if one wants to save money.

[si458]

@NewUserfromDE regarding smartscreen

Many sites when I look at ev certificates now say the following

Note: In March 2024, Microsoft changed the way MS SmartScreen interacts with EV Code Signing certificates. EV Code Signing certificates remain the highest trust certificates available, but they no longer instantly remove SmartScreen warnings.
https://www.thesslstore.co.uk/comodo/ev-code-signing.aspx

Even the cheap one says it too
https://cheapsslsecurity.co.uk/fastssl/ev-code-signing-certificate.html
Note: Microsoft released a series of updates to their SmartScreen trust system that changed the way the SmartScreen recognizes to EV Code Signing certificates. These are still the best Code Signing certificates available, but they no longer instantly remove SmartScreen warnings.

[NewUserfromDE]

Thanks Simon, now also found it on Stackoverflow (April 2024).

Conclusions:

• EV can help
• submitting exe to Microsoft can help
• there exists no way for instant SmartScreen approval

Source: https://stackoverflow.com/questions/77101110/smartscreen-still-gives-warning-with-ev-code-signing-certificate

[si458]

I believe admins of meshcentral need to learn to customise the agent by using the agentCustomise and agentFileInfo

this might help with false positives

Also they could then take it a step further and get a certificate of their own to code-sign it (I know its not cheap sadly)

It's the only way at the moment

Unless somebody fancies completely rewriting the meshagent 😂