blueCFD-Core-2020-1-win64-setup: digital signature

[rue-hh]

Hi everyone,
is it possible to have the "blueCFD-Core-2020-1-win64-setup.exe" digitally signed. I cannot install it because our IT security system legitimately does not allow unsigned software. We are using sentinel one, the unique ID is C29BA1EC486FE53B. If you need more infos please let me know.

best regards

Ruediger

[wyldckat]

Greetings Ruediger,

After blueCFD-Core is installed, it relies on hundreds of executables and DLL files, coming from various origins, most of which are not digitally signed in the way you've asked about. A few examples:

• ParaView's own installer is digitally signed, but its own executables are not.
• Qt (which ParaView uses) is digitally signed.
• MSys2 is not digitally signed nor any of the executables it provides.

Which leads me to ask you the following questions:

1. Will digitally signing the blueCFD-Core installer be enough?
2. Or will the IT security system being used, not allow the installed executables to run after installation?

Best regards,
Bruno

[rue-hh]

Hi Bruno,
from my IT Security point of view every executable i am using in a package should be digitally signed. When i am using executables from external sources i would doublecheck that they are digitally signed. I know this is a complex process.

Or will the IT security system being used, not allow the installed executables to run after installation?

I was having the security issues right with the installation of blueCFD: Besides the digitally signature the generated Links are detected as suspicious. As example this link \Device\HarddiskVolume4\Program Files\blueCFD-Core-2020\shortcuts\blueCFD-Core terminal.lnk is detected as "Windows shortcut file executes a suspicious LOLBin in minimized window mode"

best regards ruediger

[rue-hh]

Hi, are there any suggestions to make it work when digitally signatures are needed

thanks for any advice, we really would like to use it but we have to comply our IT policies.
best regards
ruediger

[wyldckat]

Greetings Ruediger,

The blueCFD-Core project relies on open source software and is provided as open source as well. This means that we are providing the product for free, but there is still a cost for the time/service needed to develop and provide this product.
Therefore, to meet user expectations, we need funding (this page will be updated soon): http://bluecfd.github.io/Core/Funding/

This to say that if the company you work for is able to provide some funding, it will help us get this done much sooner than later.

I investigated this topic last year when you first reported and found that the signature certificates were some 500 to 1000€, not sure if it was as a yearly cost. I've done a quick research now and there seems to be something free for open source projects: https://www.sigstore.dev - in which case, it will only require time to deploy this.

As for the issue you reported about the minimized window, I will need to check how the latest MSys2 terminal is launched, to see if it still uses the same minimized batch script workflow or if it now launches the console/terminal application directly. If it doesn't, we will likely need to create a small application ourselves that will do what the batch script does.

Best regards,
Bruno