Skip to content
This repository has been archived by the owner on Jul 5, 2024. It is now read-only.

Only sign exe files #90

Closed
stefanolson opened this issue Jun 18, 2022 · 5 comments
Closed

Only sign exe files #90

stefanolson opened this issue Jun 18, 2022 · 5 comments
Labels
enhancement New feature or request os:windows

Comments

@stefanolson
Copy link

I am upgrading from squirrel as I need .net core support. So far this seems to work perfectly.

I have only one problem, which was also a problem with squirrel. I only want to sign the exes with signtool, it's simply too slow to go and sign all the DLLs every update.

I ended up making a source code change in squirrel to only look at exes. With this version there are more regular updates, so I don't want to have to change the source code for every update.

Is there a way that I can only sign EXE files, or could one be added please?

Thanks!
@caesay
Copy link
Member

caesay commented Jun 19, 2022

I have been thinking about this issue too.

I had done some work a while ago to do parallel signing (signtool.exe seems to reliably sign up to 10 binaries at a time) and this sped up signing overall by ~9x. Would this solution be acceptable/fast enough for you?

I can't seem to find any concrete answers as to if/when dll's need to be signed, so I am a little hesitant to remove dll signing without more research and testing.

@caesay caesay added enhancement New feature or request os:windows labels Jun 19, 2022
@stefanolson
Copy link
Author

It's better than currently. I've got 120 DLLs, 1 exe. So even the speed of signing the equivalent of approx 15 DLLs would still be a bit slow. Really all I need is an option just to sign exes only, I can understand your apprehension if people assume that's the right thing to do. I'm signing it basically to ensure that when the user starts the software on the machine that it can check the signing certificate and present the user that it is a properly signed executable. So DLLs aren't a worry for me.

The other thought is that of those 121 DLLs only 3 or 4 ever change in a normal update cycle. Is there a way you could store the signed versions and reuse them if there are no changes?

Thanks!

@peppy
Copy link

peppy commented Jun 19, 2022
edited

As one data point, we generally would prefer to have DLLs signed (although it does add considerable overhead to the build process) as it's one security measure we can take to ensure tampering has not occurred in distributions. Historically we've checked signatures on dll at load time (manually) but I don't think it's required by any specification on windows.

Caching post-signed DLLs would be pretty cool, I could definitely get behind that.

@caesay caesay closed this as completed in 5f9f594 Aug 24, 2022
@caesay
Copy link
Member

caesay commented Aug 24, 2022

Signing parallelism and exe-only signing is in 5f9f594. I will ship this as a v3 release soon, but will not be porting these changes to v2.

@stefanolson
Copy link
Author

Thanks so much!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request os:windows
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peppy @caesay @stefanolson