On 05/09/2017 16:15, Илья Шипицин wrote: > > > 2017-09-05 18:02 GMT+05:00 Samuli Seppänen <sam...@openvpn.net > <mailto:sam...@openvpn.net>>: > > On 05/09/2017 14:30, Илья Шипицин wrote: > > > > > > 2017-09-05 12:15 GMT+05:00 Samuli Seppänen <sam...@openvpn.net > <mailto:sam...@openvpn.net> > > <mailto:sam...@openvpn.net <mailto:sam...@openvpn.net>>>: > > > > On 04/09/2017 16:32, Igor Bozovic wrote: > > > Hello, > > > > > > I downloaded openvpn-install-2.4.3-I602.exe from > > > https://openvpn.net/index.php/open-source/downloads.html > <https://openvpn.net/index.php/open-source/downloads.html> > > <https://openvpn.net/index.php/open-source/downloads.html > <https://openvpn.net/index.php/open-source/downloads.html>> and uploaded > > > the file to https://www.virustotal.com. > > > > > > Baidu and TrendMicro-HouseCall reported a virus: > > > > https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection > > <https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection> > > > <https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection > > <https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection>> > > > > > > I used gpg to check the file integrity: > > > > > > -------------------- > > > gpg -v --verify openvpn-install-2.4.3-I602.exe.asc > > > gpg: armor header: Version: GnuPG v1 > > > gpg: assuming signed data in `openvpn-install-2.4.3-I602.exe' > > > gpg: Signature made петак, 14. јул 2017. (this means Friday, 14th > July) > > > 15:28:49 CEST using RSA key ID 8CC2B034 > > > gpg: using subkey 8CC2B034 instead of primary key 2F2B01E7 > > > gpg: using PGP trust model > > > gpg: Good signature from "OpenVPN - Security Mailing List > > > <secur...@openvpn.net <mailto:secur...@openvpn.net> > <mailto:secur...@openvpn.net <mailto:secur...@openvpn.net>> > > <mailto:secur...@openvpn.net <mailto:secur...@openvpn.net> > <mailto:secur...@openvpn.net <mailto:secur...@openvpn.net>>>>" > > > gpg: WARNING: This key is not certified with a trusted signature! > > > gpg: There is no indication that the signature belongs > to the > > > owner. > > > Primary key fingerprint: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 > 2F2B 01E7 > > > Subkey fingerprint: B596 06E2 D8C6 E10B 80BE 2B31 D72A F344 > 8CC2 B034 > > > gpg: binary signature, digest algorithm SHA1 > > > -------------------- > > > > > > I assume it's a false positive, but I would appreciate if you > could > > > confirm this. I guess that the exe file could be infected at > compile time. > > > > > > recently we (I work in private company in Russia) were contacted by > > GlobalSign CA, they want to sell us digital certificates. > > > > they state that if we will buy EV codesign cert, so SmartScreen filter > > will automatically "whitelist" our software. > > > > @mattock, am I right, openvpn binaries are signed with codesign EV > already ? > > > > No. Only the tap-windows6 driver has been signed with an EV certificate. > Everything else has been signed with a "normal" AuthentiCode > certificate. > > In our case EV signing is done with a special dongle. The dongle > integrates with Windows Certificate Store, but I've been told that it > has a built-in failure counter. Afaik if the fail count exceed the > dongle will be bricked, or at least disabled,. As such, the dongle is > not particularly well suited for automation like that used in > openvpn-build. > > > well, I hope that we will issue codesign EV for ourselves, I will test > it with whitelisting and tell you >
Great, thanks! Samuli ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users