Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Post digitally-signed cryptographic hashes for verifying FlexSim installer integrity/authenticity

jon_abbott
Submitted by on ‎11-17-2016 10:03 AM Status: Implemented

Post digitally-signed cryptographic hashes for verifying FlexSim installer integrity/authenticity

I would like to suggest posting cryptographic hashes alongside installer download links to ensure installer integrity and authenticity. I would recommend SHA-2 or newer, as earlier hash functions have collisions or other known issues. It would also be useful to sign the cryptographic hashes with digital signatures to ensure that the hashes have not been tampered with. Thanks for considering my suggestion.

Report
7 Comments (7 New)
POST A COMMENT
7 Comments
philboboADSK
Autodesk
Autodesk
‎11-17-2016 10:20 AM
‎11-17-2016 10:20 AM

The FlexSim installer is already digitally signed and ships with the digital certificate that Windows verifies. You can see it when you run the installer and the UAC prompt appears. The UAC prompt shows "Verified Publisher: FlexSim Software Products, Inc." if the file has not been tampered with:

Image.png

You can press the Show details button to look more closely at the digital certificate that it is signed with. Our installers are signed with a Symantec Class 3 Extended Validation Code Signing certificate.

If the file has been tampered with, then Windows will show "Publisher: Unknown" instead of our verified publisher name:

Image.png

Also, if you are using Windows 8 or later, the Microsoft SmartScreen will appear and warn you if the installer has been tampered with, even if it has been signed by an untrustworthy actor (such as someone signing it locally with a faked publisher name).

Report
jon_abbott
Not applicable
‎11-17-2016 10:24 AM
‎11-17-2016 10:24 AM

Great, that is good to know. Thanks. I didn't realize it would show "Unknown" as the publisher if the file was tampered with.

Report
0 Votes
Vote
jon_abbott
Not applicable
‎03-28-2019 12:14 PM
‎03-28-2019 12:14 PM

Hi @phil.bobo, I just downloaded the 64-bit .msi version of FlexSim 19.0.2 and it is saying the publisher is unknown. Please see the image below. I downloaded the file twice to confirm that it wasn't a result of file corruption while downloading. Are the latest .msi versions of FlexSim still being digitally signed?

Image.png

Report
0 Votes
Vote
philboboADSK
Autodesk
Autodesk
‎03-28-2019 12:25 PM
‎03-28-2019 12:25 PM

Thanks for pointing this out. This was a bug introduced in our build process between 19.0.0 and 19.0.1. The script that signs the msi files had a problem with the directory path so it wasn't signing them.

I've fixed the issue with the build process.

I will sign the 19.0.2 msi files and re-upload them. I'll comment back here once they are ready to download.

Report
0 Votes
Vote
jon_abbott
Not applicable
‎03-28-2019 12:28 PM
‎03-28-2019 12:28 PM

Thank you for the update, Phil. For now, I downloaded and used the .exe installer which doesn't appear to be affected by this issue.

Report
0 Votes
Vote
philboboADSK
Autodesk
Autodesk
‎03-28-2019 12:45 PM
‎03-28-2019 12:45 PM

Yeah, the exe and the msi files embedded in the exe should have been signed just fine.

I've now signed the 19.0.2 msi files on the website. If you download them again, they should be signed properly.

Thanks again for bringing this to our attention.

Report
0 Votes
Vote
jon_abbott
Not applicable
‎03-28-2019 12:47 PM
‎03-28-2019 12:47 PM

Thanks again, Phil. I appreciate the rapid response.

Report
0 Votes
Vote

Forums Links

Can't find what you're looking for? Ask the community or share your knowledge.

Submit Idea  

Report a website issue