Digitally Signing WSUS Offline Updater

Re: Digitally Signing WSUS Offline Updater

Postby WSUSUpdateAdmin » 28.10.2013, 09:25

Moin!

Nach einem Download von http://download.wsusoffline.net/wsusoffline87.zip hat bei mir nur das Archiv die "aus-dem-Internet-Signatur", nicht die enthaltenen Dateien.
Daher würde ich gern die Umstände kennen, die zu diesem Verhalten geführt haben, bevor ich die vorgeschlagene Änderung, die auch erst ab dem zweiten Aufruf wirksam wäre, vornehme.

Gruß
Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2245
Joined: 07.07.2009, 14:38

Re: Digitally Signing WSUS Offline Updater

Postby aker » 28.10.2013, 09:29

Wenn ein ZIP-Archiv, welches diese Signatur hat, mit dem Windows Explorer entpackt wird (wie es mit anderen Packprogrammen aussieht, weiß ich nicht), erhalten alle Dateien, die aus dem Archiv kopiert werden, diese Signatur.

Wann dieses Verhalten genau eintritt (kopieren einzelner Dateien, entpacken über die Option "Alle extrahieren"), habe ich mir noch nicht genau angesehen.

Viele Grüße
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to keep or sell it.
aker

WSUS Offline Update „Community Edition“
https://gitlab.com/wsusoffline/wsusoffline/-/releases
aker
 
Posts: 3999
Joined: 02.03.2011, 15:32

Re: Digitally Signing WSUS Offline Updater

Postby oiaohm » 21.11.2013, 03:06

These two issues are linked.
viewtopic.php?t=3923
lsjohnson2 in fact you issue can come back if someone turms on signed only.
http://technet.microsoft.com/en-us/libr ... 10%29.aspx

From harry
Please see viewtopic.php?f=5&t=491

Code: Select all
{yourWSUSOUdir}\bin\streams -s -d yourWSUSOUdir

This is just a hack. This disables selective signed checking.

The correct answer is setup your own self signing CA with own code signing certificate and sign the file and add that CA to the computers. This way it does not matter what is set it works. Unsigned is just trouble.
http://stackoverflow.com/questions/8484 ... on-windows

Now of course it would be nice if it was self signed in the download and only have to add the CA .cer file into the trust locations.

MITM and Windows signing requirements is the same problem. Fighting the tide the tide will always cause you trouble.

Unsigned is trouble. Unsigned will be questioned more by anti-virus software. Unsigned will run into windows protection systems. Self-signed lot of companies use this for internal applications.

As I stated there is no a money cost to fixed this at least half way. To fix fully needs a paid for certificate. To half fix needs a self signing CA.

Instructions are fairly simple if the exe where self signed.
Code: Select all
certmgr.exe -add MyCert.cer -s -r localMachine trustedpublisher
certmgr.exe -add MyCert.cer -s -r localMachine root

With MyCert.cer being the self signed CA of here. The .cer could be in the download file. Yes in a cmd/bat file to approve.
oiaohm
 

Previous

Return to Anregungen / Suggestions

Who is online

Users browsing this forum: No registered users and 200 guests