[jitsi-dev] Re: [jitsi~svn:9228] Fixes a crash in the Microsoft Outlook Contacts and Address Book integrat


#1

Hey Lyubo

Modified Paths: ---------------
trunk/lib/native/windows/jmsoutlookaddrbook.dll
trunk/lib/native/windows-64/jmsoutlookaddrbook.dll

If I think back to our journey with the AV vendors: although the DLL is currently not marked as malicious by any engine on VirusTotal, now that we have a Code-Signing Certificate do you think it would make sense to sign the DLLs? I guess it would give some heuristic engines at least a hint in their scoring.

Regards,
Ingo


#2

Hi, Ingo! Nice to hear from you!

···

2011/12/18 Bauersachs Ingo <ingo.bauersachs@fhnw.ch>:

trunk/lib/native/windows/jmsoutlookaddrbook.dll
trunk/lib/native/windows-64/jmsoutlookaddrbook.dll

If I think back to our journey with the AV vendors: although the DLL is currently not marked as malicious by any engine on VirusTotal, now that we have a Code-Signing Certificate do you think it would make sense to sign the DLLs? I guess it would give some heuristic engines at least a hint in their scoring.

I don't know whether signing the DLLs will make a difference in that
respect. Anyway, I remember Damian mentioned it to me a while back, I
talked to Emil and he thought it was a good idea. So I guess we'll try
it as soon as possible. Thank you very much for the note!

Best regards,
Lyubomir


#3

Hi,

starting build 3842 dlls are now signed.

Regards
damencho

···

On Sun, Dec 18, 2011 at 10:57 PM, Lyubomir Marinov <lubo@jitsi.org> wrote:

Hi, Ingo! Nice to hear from you!
2011/12/18 Bauersachs Ingo <ingo.bauersachs@fhnw.ch>:

trunk/lib/native/windows/jmsoutlookaddrbook.dll
trunk/lib/native/windows-64/jmsoutlookaddrbook.dll

If I think back to our journey with the AV vendors: although the DLL is currently not marked as malicious by any engine on VirusTotal, now that we have a Code-Signing Certificate do you think it would make sense to sign the DLLs? I guess it would give some heuristic engines at least a hint in their scoring.

I don't know whether signing the DLLs will make a difference in that
respect. Anyway, I remember Damian mentioned it to me a while back, I
talked to Emil and he thought it was a good idea. So I guess we'll try
it as soon as possible. Thank you very much for the note!

Best regards,
Lyubomir


#4

Thanks, Damian!
Have you considered timestamping the signing process? The attached patch should do the trick, but I don't have a cert-file at hand to test it.

Regards,
Ingo

Timestamp-signed-files.patch (504 Bytes)

···

-----Original Message-----
From: damencho@damencho.com [mailto:damencho@damencho.com] On Behalf Of
Damian Minkov
Sent: Mittwoch, 21. Dezember 2011 10:38
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: [jitsi~svn:9228] Fixes a crash in the Microsoft
Outlook Contacts and Address Book integrat
Hi,

starting build 3842 dlls are now signed.

Regards
damencho

On Sun, Dec 18, 2011 at 10:57 PM, Lyubomir Marinov <lubo@jitsi.org> wrote:

Hi, Ingo! Nice to hear from you!
2011/12/18 Bauersachs Ingo <ingo.bauersachs@fhnw.ch>:

trunk/lib/native/windows/jmsoutlookaddrbook.dll
trunk/lib/native/windows-64/jmsoutlookaddrbook.dll

If I think back to our journey with the AV vendors: although the DLL is

currently not marked as malicious by any engine on VirusTotal, now that we
have a Code-Signing Certificate do you think it would make sense to sign the
DLLs? I guess it would give some heuristic engines at least a hint in their
scoring.

I don't know whether signing the DLLs will make a difference in that
respect. Anyway, I remember Damian mentioned it to me a while back, I
talked to Emil and he thought it was a good idea. So I guess we'll try
it as soon as possible. Thank you very much for the note!

Best regards,
Lyubomir


#5

Hi,

I'm not familiar with this. What is the reason to timestamp the dll or
exe/msi files?

Regards
damencho

···

On Thu, Dec 22, 2011 at 3:26 PM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:

Thanks, Damian!
Have you considered timestamping the signing process? The attached patch should do the trick, but I don't have a cert-file at hand to test it.

Regards,
Ingo

-----Original Message-----
From: damencho@damencho.com [mailto:damencho@damencho.com] On Behalf Of
Damian Minkov
Sent: Mittwoch, 21. Dezember 2011 10:38
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: [jitsi~svn:9228] Fixes a crash in the Microsoft
Outlook Contacts and Address Book integrat
Hi,

starting build 3842 dlls are now signed.

Regards
damencho

On Sun, Dec 18, 2011 at 10:57 PM, Lyubomir Marinov <lubo@jitsi.org> wrote:

Hi, Ingo! Nice to hear from you!
2011/12/18 Bauersachs Ingo <ingo.bauersachs@fhnw.ch>:

trunk/lib/native/windows/jmsoutlookaddrbook.dll
trunk/lib/native/windows-64/jmsoutlookaddrbook.dll

If I think back to our journey with the AV vendors: although the DLL is

currently not marked as malicious by any engine on VirusTotal, now that we
have a Code-Signing Certificate do you think it would make sense to sign the
DLLs? I guess it would give some heuristic engines at least a hint in their
scoring.

I don't know whether signing the DLLs will make a difference in that
respect. Anyway, I remember Damian mentioned it to me a while back, I
talked to Emil and he thought it was a good idea. So I guess we'll try
it as soon as possible. Thank you very much for the note!

Best regards,
Lyubomir


#6

Quote from a Comodo-FAQ:
"Timestamping ensures that code will not expire when certificate expires. If your code is timestamped the digital signature is valid even though the certificate has expired. A new certificate is only necessary if you want to sign additional code. If you did not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers."

Not too much of an issue given how often we release currently, but as soon as the end of the certificate's lifetime nears it might become one.

(I stumbled upon this today for a signed, but not timestamped jnlp (Webstart) file).

Regards,
Ingo

···

-----Original Message-----
From: damencho@damencho.com [mailto:damencho@damencho.com] On Behalf Of
Damian Minkov
Sent: Donnerstag, 22. Dezember 2011 14:30
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: [jitsi~svn:9228] Fixes a crash in the Microsoft
Outlook Contacts and Address Book integrat

Hi,

I'm not familiar with this. What is the reason to timestamp the dll or
exe/msi files?

Regards
damencho

On Thu, Dec 22, 2011 at 3:26 PM, Bauersachs Ingo > <ingo.bauersachs@fhnw.ch> wrote:
> Thanks, Damian!
> Have you considered timestamping the signing process? The attached patch
should do the trick, but I don't have a cert-file at hand to test it.
>
> Regards,
> Ingo
>
>> -----Original Message-----
>> From: damencho@damencho.com [mailto:damencho@damencho.com] On Behalf Of
>> Damian Minkov
>> Sent: Mittwoch, 21. Dezember 2011 10:38
>> To: dev@jitsi.java.net
>> Subject: [jitsi-dev] Re: [jitsi~svn:9228] Fixes a crash in the Microsoft
>> Outlook Contacts and Address Book integrat
>> Hi,
>>
>> starting build 3842 dlls are now signed.
>>
>> Regards
>> damencho
>>
>> On Sun, Dec 18, 2011 at 10:57 PM, Lyubomir Marinov <lubo@jitsi.org> wrote:
>>> Hi, Ingo! Nice to hear from you!
>>> 2011/12/18 Bauersachs Ingo <ingo.bauersachs@fhnw.ch>:
>>>>> trunk/lib/native/windows/jmsoutlookaddrbook.dll
>>>>> trunk/lib/native/windows-64/jmsoutlookaddrbook.dll
>>>>
>>>> If I think back to our journey with the AV vendors: although the DLL is
>> currently not marked as malicious by any engine on VirusTotal, now that we
>> have a Code-Signing Certificate do you think it would make sense to sign
the
>> DLLs? I guess it would give some heuristic engines at least a hint in
their
>> scoring.
>>>
>>> I don't know whether signing the DLLs will make a difference in that
>>> respect. Anyway, I remember Damian mentioned it to me a while back, I
>>> talked to Emil and he thought it was a good idea. So I guess we'll try
>>> it as soon as possible. Thank you very much for the note!
>>>
>>> Best regards,
>>> Lyubomir


#7

Hey,

I've tested it and committed it. If server is wrong or missing the
signing finishes successful and just print a warning. Thanks Ingo.

Cheers
damencho

···

On Thu, Dec 22, 2011 at 3:52 PM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:

Quote from a Comodo-FAQ:
"Timestamping ensures that code will not expire when certificate expires. If your code is timestamped the digital signature is valid even though the certificate has expired. A new certificate is only necessary if you want to sign additional code. If you did not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers."

Not too much of an issue given how often we release currently, but as soon as the end of the certificate's lifetime nears it might become one.

(I stumbled upon this today for a signed, but not timestamped jnlp (Webstart) file).

Regards,
Ingo

-----Original Message-----
From: damencho@damencho.com [mailto:damencho@damencho.com] On Behalf Of
Damian Minkov
Sent: Donnerstag, 22. Dezember 2011 14:30
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: [jitsi~svn:9228] Fixes a crash in the Microsoft
Outlook Contacts and Address Book integrat

Hi,

I'm not familiar with this. What is the reason to timestamp the dll or
exe/msi files?

Regards
damencho

On Thu, Dec 22, 2011 at 3:26 PM, Bauersachs Ingo >> <ingo.bauersachs@fhnw.ch> wrote:
> Thanks, Damian!
> Have you considered timestamping the signing process? The attached patch
should do the trick, but I don't have a cert-file at hand to test it.
>
> Regards,
> Ingo
>
>> -----Original Message-----
>> From: damencho@damencho.com [mailto:damencho@damencho.com] On Behalf Of
>> Damian Minkov
>> Sent: Mittwoch, 21. Dezember 2011 10:38
>> To: dev@jitsi.java.net
>> Subject: [jitsi-dev] Re: [jitsi~svn:9228] Fixes a crash in the Microsoft
>> Outlook Contacts and Address Book integrat
>> Hi,
>>
>> starting build 3842 dlls are now signed.
>>
>> Regards
>> damencho
>>
>> On Sun, Dec 18, 2011 at 10:57 PM, Lyubomir Marinov <lubo@jitsi.org> wrote:
>>> Hi, Ingo! Nice to hear from you!
>>> 2011/12/18 Bauersachs Ingo <ingo.bauersachs@fhnw.ch>:
>>>>> trunk/lib/native/windows/jmsoutlookaddrbook.dll
>>>>> trunk/lib/native/windows-64/jmsoutlookaddrbook.dll
>>>>
>>>> If I think back to our journey with the AV vendors: although the DLL is
>> currently not marked as malicious by any engine on VirusTotal, now that we
>> have a Code-Signing Certificate do you think it would make sense to sign
the
>> DLLs? I guess it would give some heuristic engines at least a hint in
their
>> scoring.
>>>
>>> I don't know whether signing the DLLs will make a difference in that
>>> respect. Anyway, I remember Damian mentioned it to me a while back, I
>>> talked to Emil and he thought it was a good idea. So I guess we'll try
>>> it as soon as possible. Thank you very much for the note!
>>>
>>> Best regards,
>>> Lyubomir