Here's what happened with Release #65... (we're NOW at #66!)

[Steve]

Gang,

Those of you who managed to push past Windows/Microsoft's worries about the signing of unknown code with an unknown certificate will have then hit a "Error: 8" report.

Error 8 is: "Downloaded update failed Authenticode verification"

I have been SUPER CAREFUL to prevent the possibility that anyone might subvert GRC's server and place a malicious SQRL app there. So the EXISTING instance of SQRL that performs the self-upgrade first downloads the candidate newer release as a non-executable filename then verifies not ONLY that the file is properly signed, but that it is signed by DigiCert. The certificate issuer it looks for is: "DigiCert SHA2 Assured ID Code Signing CA". And ONLY IF the certificate's issuer exactly matches that, will the old SQRL decide that it can trust the new SQRL, and it will step aside.

The problem is, not only do I have a new certificate, but I have a fancy new hardware-token signed EV certificate. And, guess what? It comes with a fancy DIFFERENT certificate issuer! <sigh> The new one is signed by: "DigiCert EV Code Signing CA (SHA2)". As we can see... this will FREAK OUT the existing Release #64 of SQRL (or anything earlier) since it won't know anything about that... and it will issue an "Error: 8" and FOREVER refuse to update to that newer release.

This is an "auto-updater" block. So (and I'm REALLY SORRY about this!) but EVERYONE is going to need to arrange to manually download and run the latest release #65 of the SQRL.exe which is NOW on the server here: https://www.grc.com/dev/sqrl.exe (4/21/2019 3:35 PM). The earlier releases did not know about the newer code signing certificate.

When you run THAT executable on a machine having release #64 or #65, it will see that it's a later release and it will update that machine... and all will be good from then on.

 

[Roger]

Just followed your instructions and all is working fine.
Thanks Steve!

 

[silversword]

Microsoft (defender) still thinks it's a virus. Previously Fuerboos.C!cl (as part of auto-update), now with the latest 4/21/2019 3:35pm it thinks it's the Win32/Spursint.F!cl

I Allowed manually, had to re-download it then it installed.

Uploaded and marked safe with Virustotal: https://www.virustotal.com/#/file/b...71f6b0c18913aa9f369fbd810d5b2528a87/community

 

[rickdeckardbr26354]

Same here - windows 10 Defender treating the update as Trojan:Win32/Spursint.F!cl virus

 

[Steve]

Just followed your instructions and all is working fine.
Thanks Steve!

Thanks for confirming, Roger!

 

[Steve]

Uploaded and marked safe with Virustotal: https://www.virustotal.com/#/file/b...71f6b0c18913aa9f369fbd810d5b2528a87/community

Nice! Thanks for that. I see that VT now has it as 0/63. So we're making progress. Once Windows Defender catches up we should be good. I'm going to try a Windows Defender scan and see what it does.

 

[mikeelgan]

Nice! Thanks for that. I see that VT now has it as 0/63. So we're making progress. Once Windows Defender catches up we should be good. I'm going to try a Windows Defender scan and see what it does.

Virustotal still indicating a problem. FYI!!!!! See attached.
https://sqrl.grc.com/attachments/upload?type=post&context[thread_id]=562&hash=3556a08f7ce0e507a6e7e345ed3afea4

 

[Steve]

Things appear to be fluctuating. Now Cylance is happy but now Kaspersky and ZoneAlarm are unhappy. They'll get it figured out.

 

[RobAllen]

Please ignore this if you've already answered this question and I've simply missed it, but what will prevent this from happening again in the future? There's almost no chance that you can expect a static Cert Issuer string in perpetuity. Once rolled out, you can no longer expect users to manually update.

Also, this indicates that every update error screen needs a link to either the SQRL download page or the SQRL executable itself. Perhaps every error screen, anywhere, needs a link to a relevant SQRL page . Regardless of this particular issue, a large number of users will experience errors and will need some simple, understandable way to recover from them.

 

[silversword]

Here's some of the things that Defender said "whoa, looks fishy". Might be an idea to document all the things SQRL does at some final resting point.

 

[PHolder]

what will prevent this from happening again in the future

An analogy: cops have been known to frequently target certain people and cars for extra inspection. This is generally unfair, but it's unclear how the targets can do anything about who they are... and it seems unfair to expect them to live a different life just because they may encounter more resistance than others.

In the same vein it seems there is little Steve can do to prevent malware cops from assuming his code needs extra inspection. All he can do is make his code work well... and let the chips fall where they may.

 

[TecMunky]

I just discovered that Symantec Endpoint Protection is quarantining the installer (version 66).
I was able to manually create an exclusion - and now it installs.

 

[rob42]

Gang,

Those of you who managed to push past Windows/Microsoft's worries about the signing of unknown code with an unknown certificate will have then hit a "Error: 8" report.

Error 8 is: "Downloaded update failed Authenticode verification"

I have been SUPER CAREFUL to prevent the possibility that anyone might subvert GRC's server and place a malicious SQRL app there. So the EXISTING instance of SQRL that performs the self-upgrade first downloads the candidate newer release as a non-executable filename then verifies not ONLY that the file is properly signed, but that it is signed by DigiCert. The certificate issuer it looks for is: "DigiCert SHA2 Assured ID Code Signing CA". And ONLY IF the certificate's issuer exactly matches that, will the old SQRL decide that it can trust the new SQRL, and it will step aside.

The problem is, not only do I have a new certificate, but I have a fancy new hardware-token signed EV certificate. And, guess what? It comes with a fancy DIFFERENT certificate issuer! <sigh> The new one is signed by: "DigiCert EV Code Signing CA (SHA2)". As we can see... this will FREAK OUT the existing Release #64 of SQRL (or anything earlier) since it won't know anything about that... and it will issue an "Error: 8" and FOREVER refuse to update to that newer release.

This is an "auto-updater" block. So (and I'm REALLY SORRY about this!) but EVERYONE is going to need to arrange to manually download and run the latest release #65 of the SQRL.exe which is NOW on the server here: https://www.grc.com/dev/sqrl.exe (4/21/2019 3:35 PM). The earlier releases did not know about the newer code signing certificate.

When you run THAT executable on a machine having release #64 or #65, it will see that it's a later release and it will update that machine... and all will be good from then on.

Thanks for letting us know, Steve. In fact, for both of the updates that have been made since I started to use your Client, I've checked here before allowing the update to run. The first one (about a week ago, I think) updated without any fuss. For this one, I never even let it try, after reading what you posted. I simply d/loaded your new version and let it do it's thing; no worries, it worked as expected.

Thanks Steve, I know that you're a busy chap, so keeping this Client updated is a real bonus, one that I very much appreciate.

B.t.w: a nice new blog. +1

 

[sj phillips]

I wish I could join all the happy stories, but I still cannot download manually. The message that prevents sqrl.exe from downloading is from Windows Defender Smart Screen. I'll go look into disabling Smart Screen or Windows Defender.

 

[shanedk]

So, does this issuer check not work on Linux? Because while on my Win10 machine my only recourse was a manual install, on my Debian box it updated as normal, pretty as you please.

 

[sj phillips]

Manual install not working. I cannot find a Win 10 setting for Windows Defender to whitelist SQRL.exe downloads or even disable entirely.
If anyone can give me a hint how to proceed, I would appreciate it.

 

[sj phillips]

 

[Dave]

Manual install not working. I cannot find a Win 10 setting for Windows Defender to whitelist SQRL.exe downloads or even disable entirely.
If anyone can give me a hint how to proceed, I would appreciate it.

Windows Security -> Virus & threat protection settings -> Exclusions -> Add or remove exclusions.

You can also click on the threat warning in the events window, click on the "Severe" drop-down and tell it to allow the threat. Though I believe that would allow real occurrences of the threat as well, so I certainly wouldn't leave it allowed.

 

[PHolder]

It would appear that Windows Smart Screen is not so smart... I downloaded without issue using Firefox, and it ran, recognized the older version, and installed/upgraded without any complaints from Windows. Perhaps you should consider not using Windows Explorer/Edge for the download, for now.

 

[Dave]

It would appear that Windows Smart Screen is not so smart... I downloaded without issue using Firefox, and it ran, recognized the older version, and installed/upgraded without any complaints from Windows. Perhaps you should consider not using Windows Explorer/Edge for the download, for now.

I use Chrome and had problems until I told Windoze to ignore sqrl.exe.