Security and trust enhancements for Windows users of October

[marcus-crane]

In short: October is now code signed on Windows!

This means that new versions of October will no longer suggest that they are about to use an untrusted piece of software.

All new versions will carry a digital signature. If an October installer doesn't have a digital signature (ie; it came from somewhere besides this Github repository), it should NOT be used.

---

Hi there,

First off, thanks to everyone who has taken October for a spin so far.

October has no telemetry or analytics so I have no idea who (if anyone) uses it but I can infer there is some level of usage by issues filed and each issue reported helps to make a better product overall.

While I personally use October on macOS, Windows builds have been available since the beginning. I haven't tested them as well as I could, although October has a very small surface area so there's not much that differs between the two versions.

Recently I noticed that October downloads on Windows throw up a Microsoft SmartScreen warning so I did a bit of digging and learned quite a bit.

In short, it checks downloaded files to see if they're trustworthy and warns the user if it can't make a determination but it isn't too clear at first how that works on paper.

In addition to that, users who run at the default level for User Account Control will receive yet another warning that can be quite scary for new users.

How has October looked on Windows before today

When running October, users are presented with this warning asking if they would like to run software that is not from a recognized publisher.

After that step, Microsoft SmartScreen may appear at this point and give a warning that this unrecognized software may not be safe, if the piece of software hasn't been run often enough to determine trustworthiness.

Users can still continue but it doesn't exactly inspire confidence for less technical users who don't know how these systems work.

To be clear, what is going on here is that October has not been signed by a trusted entity. When I say trust, I mean it in a technical sense. A lack of trust does not imply that someone is untrustworthy, simply that they are unknown.

Pieces of software are trusted by essentially stapling a certificate to them which says "This piece of software was produced by X" where X could be a business or an individual developer.

Without a certificate, Microsoft has no idea who or where a piece of software came from. This is perfectly fine for homegrown software of course but as you start to distribute software, as I am now, it makes sense to do this certificate stapling process so users can have improved confidence when installing October.

What happens if you don't do the signing process is that SmartScreen does learn over time that October is safe and stops presenting the above warning as more users run a particular version.

The trouble here is that this accumulated trust is only associated with a specific version so as soon as I release a new version, the cycle has to start again, rebuilding that trust from scratch.

By signing with a certificate, that trust can instead be attributed to my developer identity and it carries over from version to version.

Likewise, if I were to start distributing malicious software, the trust in my developer identity would become impaired so all previous and future versions would start throwing up warnings again so it improves trust both ways in that sense.

How October will look on Windows going forward

So, that brings us to today. As mentioned, I've been a bit hesitant to release a new version of October as doing so would invalidate all of the accrued trust for the currently released version of October and start the process again.

After spending a bit of money and going through a validation process that required me to provide a government ID and other things, I've acquired a developer certificate and this is now used to sign October!

All new versions will carry this signature which is visible under Properties -> Digital Signatures which can be used to determine that you've downloaded the installer from a legitimate source, starting with v1.1.0 which will be released shortly after this post goes live.

Do note that Microsoft SmartScreen will still appear for a bit, although this time it will carry publisher details instead of saying "Unknown Publisher".

Once trust in the latest version of October has built up (through users downloading and installing it), that trust should be associated against my developer identity and further versions of October won't throw up a SmartScreen warning anymore.

As always, if you have any questions, feel free to open a Github issue or send me an email via [email protected].

In other news, I now have a Windows desktop so I can take October for Windows through its paces quite a lot more than I could when running on a virtual machine.