Here's what happened with Release #65... (we're NOW at #66!)


Status
Not open for further replies.

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
Gang,

Those of you who managed to push past Windows/Microsoft's worries about the signing of unknown code with an unknown certificate will have then hit a "Error: 8" report.

Error 8 is: "Downloaded update failed Authenticode verification"

I have been SUPER CAREFUL to prevent the possibility that anyone might subvert GRC's server and place a malicious SQRL app there. So the EXISTING instance of SQRL that performs the self-upgrade first downloads the candidate newer release as a non-executable filename then verifies not ONLY that the file is properly signed, but that it is signed by DigiCert. The certificate issuer it looks for is: "DigiCert SHA2 Assured ID Code Signing CA". And ONLY IF the certificate's issuer exactly matches that, will the old SQRL decide that it can trust the new SQRL, and it will step aside.

The problem is, not only do I have a new certificate, but I have a fancy new hardware-token signed EV certificate. And, guess what? It comes with a fancy DIFFERENT certificate issuer! <sigh> The new one is signed by: "DigiCert EV Code Signing CA (SHA2)". As we can see... this will FREAK OUT the existing Release #64 of SQRL (or anything earlier) since it won't know anything about that... and it will issue an "Error: 8" and FOREVER refuse to update to that newer release.

This is an "auto-updater" block. So (and I'm REALLY SORRY about this!) but EVERYONE is going to need to arrange to manually download and run the latest release #65 of the SQRL.exe which is NOW on the server here: https://www.grc.com/dev/sqrl.exe (4/21/2019 3:35 PM). The earlier releases did not know about the newer code signing certificate.

When you run THAT executable on a machine having release #64 or #65, it will see that it's a later release and it will update that machine... and all will be good from then on.
 

silversword

Well-known member
Mar 21, 2019
49
9

Attachments

Last edited:

mikeelgan

Member
May 19, 2018
8
4

Attachments

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
Things appear to be fluctuating. Now Cylance is happy but now Kaspersky and ZoneAlarm are unhappy. They'll get it figured out.
 

RobAllen

New member
Mar 4, 2019
3
0
Please ignore this if you've already answered this question and I've simply missed it, but what will prevent this from happening again in the future? There's almost no chance that you can expect a static Cert Issuer string in perpetuity. Once rolled out, you can no longer expect users to manually update.

Also, this indicates that every update error screen needs a link to either the SQRL download page or the SQRL executable itself. Perhaps every error screen, anywhere, needs a link to a relevant SQRL page . Regardless of this particular issue, a large number of users will experience errors and will need some simple, understandable way to recover from them.
 
Last edited:

PHolder

Well-known member
May 19, 2018
1,235
205
what will prevent this from happening again in the future
An analogy: cops have been known to frequently target certain people and cars for extra inspection. This is generally unfair, but it's unclear how the targets can do anything about who they are... and it seems unfair to expect them to live a different life just because they may encounter more resistance than others.

In the same vein it seems there is little Steve can do to prevent malware cops from assuming his code needs extra inspection. All he can do is make his code work well... and let the chips fall where they may.
 

TecMunky

Member
Mar 8, 2019
10
2
I just discovered that Symantec Endpoint Protection is quarantining the installer (version 66).
I was able to manually create an exclusion - and now it installs.
 

rob42

Well-known member
May 20, 2018
103
3
UK
rob42.net
Gang,

Those of you who managed to push past Windows/Microsoft's worries about the signing of unknown code with an unknown certificate will have then hit a "Error: 8" report.

Error 8 is: "Downloaded update failed Authenticode verification"

I have been SUPER CAREFUL to prevent the possibility that anyone might subvert GRC's server and place a malicious SQRL app there. So the EXISTING instance of SQRL that performs the self-upgrade first downloads the candidate newer release as a non-executable filename then verifies not ONLY that the file is properly signed, but that it is signed by DigiCert. The certificate issuer it looks for is: "DigiCert SHA2 Assured ID Code Signing CA". And ONLY IF the certificate's issuer exactly matches that, will the old SQRL decide that it can trust the new SQRL, and it will step aside.

The problem is, not only do I have a new certificate, but I have a fancy new hardware-token signed EV certificate. And, guess what? It comes with a fancy DIFFERENT certificate issuer! <sigh> The new one is signed by: "DigiCert EV Code Signing CA (SHA2)". As we can see... this will FREAK OUT the existing Release #64 of SQRL (or anything earlier) since it won't know anything about that... and it will issue an "Error: 8" and FOREVER refuse to update to that newer release.

This is an "auto-updater" block. So (and I'm REALLY SORRY about this!) but EVERYONE is going to need to arrange to manually download and run the latest release #65 of the SQRL.exe which is NOW on the server here: https://www.grc.com/dev/sqrl.exe (4/21/2019 3:35 PM). The earlier releases did not know about the newer code signing certificate.

When you run THAT executable on a machine having release #64 or #65, it will see that it's a later release and it will update that machine... and all will be good from then on.
Thanks for letting us know, Steve. In fact, for both of the updates that have been made since I started to use your Client, I've checked here before allowing the update to run. The first one (about a week ago, I think) updated without any fuss. For this one, I never even let it try, after reading what you posted. I simply d/loaded your new version and let it do it's thing; no worries, it worked as expected.

Thanks Steve, I know that you're a busy chap, so keeping this Client updated is a real bonus, one that I very much appreciate.

B.t.w: a nice new blog. +1 :)
 

sj phillips

Active member
May 20, 2018
32
6
I wish I could join all the happy stories, but I still cannot download manually. The message that prevents sqrl.exe from downloading is from Windows Defender Smart Screen. I'll go look into disabling Smart Screen or Windows Defender.
 

shanedk

Well-known member
May 20, 2018
421
113
So, does this issuer check not work on Linux? Because while on my Win10 machine my only recourse was a manual install, on my Debian box it updated as normal, pretty as you please.
 

sj phillips

Active member
May 20, 2018
32
6
Manual install not working. I cannot find a Win 10 setting for Windows Defender to whitelist SQRL.exe downloads or even disable entirely.
If anyone can give me a hint how to proceed, I would appreciate it.
 

Dave

Well-known member
May 19, 2018
487
98
Gardner, MA
Manual install not working. I cannot find a Win 10 setting for Windows Defender to whitelist SQRL.exe downloads or even disable entirely.
If anyone can give me a hint how to proceed, I would appreciate it.
Windows Security -> Virus & threat protection settings -> Exclusions -> Add or remove exclusions.

You can also click on the threat warning in the events window, click on the "Severe" drop-down and tell it to allow the threat. Though I believe that would allow real occurrences of the threat as well, so I certainly wouldn't leave it allowed.
 

PHolder

Well-known member
May 19, 2018
1,235
205
It would appear that Windows Smart Screen is not so smart... I downloaded without issue using Firefox, and it ran, recognized the older version, and installed/upgraded without any complaints from Windows. Perhaps you should consider not using Windows Explorer/Edge for the download, for now.
 

Dave

Well-known member
May 19, 2018
487
98
Gardner, MA
It would appear that Windows Smart Screen is not so smart... I downloaded without issue using Firefox, and it ran, recognized the older version, and installed/upgraded without any complaints from Windows. Perhaps you should consider not using Windows Explorer/Edge for the download, for now.
I use Chrome and had problems until I told Windoze to ignore sqrl.exe.
 
Status
Not open for further replies.