Support Board
Date/Time: Wed, 19 Mar 2025 18:32:33 +0000
[User Discussion] - The installation-package is not digitally signed.
View Count: 1055
| [2022-09-17 17:46:59] |
| User408639 - Posts: 70 |
|
Moin Moin. Neither "https://download2.sierrachart.com/downloads/SierraChartFileDownloader.exe" nor "https://www.sierrachart.com/downloads/ZipFiles/SierraChart2439.zip" are digitally signed. As the download "https://download2.sierrachart.com/downloads/SierraChartFileDownloader.exe" does yield an error, I do not even know, who created the download. Can You, please sign the downloader as well as any of its files. Tschüß, Michael. P.S.: On the other hand, "Notepad++" included in Your download is signed.: If I download "https://www.sierrachart.com/downloads/ZipFiles/SierraChart2439.zip", unpack it, and check the files in it, I find that "SierraChart2439\NPP\notepad++.exe" is digitally signed.: 1. Right click on it, 2. click on properties, 3. select the "digital signatures"-tab, 4. double click the "Notepad++ sha1 Wednesday, 4. December 2019 02:43:16 Uhr"-signature, and it is verified. |
| [2022-09-30 10:27:11] |
| User408639 - Posts: 70 |
|
P.S.: Using it in a VM I saw, that You did sign Your Exes, just not Your downloader. Can You, please, sign it as well. Setting the environment-variable "clr_SQL_DLLen_Zertifikatsfingerabdruck" to Your certificate's thumbprint "52352d23a607539180f16591bb34c1230c1f7c9f" You can just use in Your Visual-Studio-Postbuild-Step.: powershell -command "Unterschreibe-Assembly -Datenkarteienname \"$(Targetpath)\" -Verbose|ft -autosize" ________________________________________________________________________________________ filter Unterschreibe-Assembly ` { <# .Synopsis Signiert eine Assembly mit $sha1_Schluessel=$env:clr_SQL_DLLen_Zertifikatsfingerabdruck. .Description Signiert die Assembly $Datenkarteienname mit dem Schlüssel zu dem Fingerabrucke $sha1_Schluessel=$env:clr_SQL_DLLen_Zertifikatsfingerabdruck sowie dem Timestampserver $Zeitendiener. .Parameter Zeitendiener Der Timestampserver des Zertifkates. .Parameter Datenkarteienname Der Pfad der zu signierenden Assembly . .Parameter sha1_Schluessel Der Fingerabdruck des signierenden Zertifikate's . .Example powershell -command "Unterschreibe-Assembly -Datenkarteienname \"$(Targetpath)\" -Verbose|ft -autosize" #> [cmdletbinding(SupportsShouldProcess=$true) ]param( [Parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)][string]$Datenkarteienname ,[string]$Zeitendiener="http://timestamp.digicert.com",[string]$sha1_Schluessel=$env:clr_SQL_DLLen_Zertifikatsfingerabdruck,[string]$Signaturenalgorithmus="sha512" ,[string[]]$Signaturenverzeichnisse=("cert:\currentuser\my","cert:\LocalMachine\my"),[switch]$Kurz ###@@@"http://timestamp.verisign.com/scripts/timstamp.dll" ergibt keine verwendbaren Zeitenstempel mehr.: Michael Soliman.: 2019-08-04T18:29:55.5046751+02:00. );$Befehlchensname="Unterschreibe-Assembly" $PSB=$PSBoundParameters #@@@Diese Zuweisung ermöglicht das ("$PSBoundParameters")-Wertedebugging. if($PSB["Verbose"]){$v=$true}else{$v=$false} if($PSB["Kurz" ]){$K=$true}else{$K=$false} #Write-Host "Verbose=$($v),Kurz=$($Kurz)." -ForegroundColor DarkRed -BackgroundColor DarkYellow Write-Verbose ($Jetztmeldung="$Befehlchensname.: `$Jetzt=$(($Jetzt=$([Datetime]::Now.ToString("o")))),`$Datenkarteienname=`"$Datenkarteienname`".") -Verbose:($v) $Zertifikat=(dir -recurse $Signaturenverzeichnisse|where{(($_.Thumbprint-eq"$sha1_Schluessel")-and($_.PSParentPath-ilike"*\My"))})|select -first 1; #|ft -AutoSize -Wrap [0] #Write-Host "Zertifikat=$($Zertifikat)." -ForegroundColor DarkGreen -BackgroundColor DarkYellow if( $v){Write-Host "`$Jetztmeldung=$Jetztmeldung,`$Zeitendiener=`"$Zeitendiener`"." -ForegroundColor DarkRed -BackgroundColor DarkYellow} #|ft -AutoSize -Wrap #,`$Zertifikat=$Zertifikat $Signaturen=Set-AuthenticodeSignature -FilePath $Datenkarteienname -Cert $Zertifikat -TimestampServer $Zeitendiener -HashAlgorithm $Signaturenalgorithmus -IncludeChain All -Verbose:($v) -ErrorAction Continue #|-HashAlgorithm:"SHA256"ft -AutoSize -Wrap try{}catch[System.Exception]{Write-Host $error}Source if(-not$K){$Signaturen}else{$Signaturen|ä @{name="Thumbprint";expression={$_.SignerCertificate.Thumbprint}},Status,Path} #|ft -AutoSize -Wrap } |
| [2022-10-28 07:44:02] |
| User408639 - Posts: 70 |
|
Moin Moin. Excuse my late answer, please, . I just downloaded "https://download2.sierrachart.com/downloads/SierraChartFileDownloader.exe", again, and it is still not digitally signed (right-clicking the exe, and selecting" properties" there is no "digital signatures"-tab). So, from my point of view it is only marginally trusted, as we have to trust the upload to the https-site. Anyone hacking it can "amend" it by any malware he/she/it likes. The downloaded files are somewhat signed, because the three most important ones are not signed.: 1. "C:\SierraChart\SierraChart.exe" 2. "C:\SierraChart\SierraChartFileDownloader.exe" 3. "C:\SierraChart\Data\UserContributedStudies_64.dll" So, this is a major security-problem (for a software with "banking"/"trading"-permissions, if You ask me, everything needs a signature). _Tschüß, __Michael. |
To post a message in this thread, you need to log in with your Sierra Chart account: