-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WinFsp Installer blocked by Windows Smart App Control #527
Comments
Thanks for the report. All executable assets installed by WinFsp are signed either by an EV certificate or Microsoft's own annotation certificate. You can confirm this by right-clicking on executable files installed by WinFsp and selecting Properties > Digital Signatures. The installer itself is also signed using the same EV certificate. Looking at the log you provided it suggests that perhaps the problem is with some of the DLL's that are used during installation only. WinFsp includes one such DLL:
It looks like WinFsp does not currently sign the CustomActions DLL and perhaps this is the source of this problem. I am unsure if WiX has any DLL's and whether it signs them if it does. |
I don't think that. We (at Cryptomator) stumbeld also into the Trap of an additional, unsigned DLL. But WiX (latest 3.x version) itself did not impose a problem. |
I include below the event log in text format:
The files that "Code Integrity" is complaining about are:
The first file is the WinFsp "launcher" which is signed with an EV certificate. The second file is the WinFsp DLL and is also signed with an EV certificate. It is not clear what the other files are but my speculation is that: (1) the So I can perhaps see the complaint about |
Bug Report
Windows Smart App Control blocks installation of WinFsp 2.0.23075 due to violation of a code integrity policy.
How to Reproduce
1, Set up a system with Windows Smart App control in enforcement mode.
2. Download and execute Winfsp installer
I tested the installer with instructions provided by Microsoft with the
Smart App Control audit policy without ISG
. The reported events can be found here:winfsp_installation_eventlog.zip.
I'm pretty sure we have a signing issue here, maybe an EV certifacte is required. The linked articles also have information about signing.
Behaviors
Expected: Winfsp installer is executed and installed successfully
Actual: Winfsp installer is blocked.
Environment
Misc
I'm a developer of Cryptomator, which uses WinFSP. We had signing issues ourself, see cryptomator/cryptomator#3130. Maybe someone can draw some clues from there.
The text was updated successfully, but these errors were encountered: