Sign Executables with Publisher Certificates for Allow-listing

shanel · July 27, 2023, 12:56am

Please sign your executables (including updates) with your publisher certificate to enable seamless updates where application allow-listing solutions are in-place. Where executables are not signed, updates will not install without manual intervention. It is very difficult to get your IT team to allow each executable by hash, whereas convincing them to allow a publisher certificate is much more palatable and help to get Brave into enterprise settings.

Brave is a good candidate for this, as any organisation hoping to mitigate their risk by blocking ads, such as to comply with Essential Eight or similar, could look to Brave to achieve that goal, yet unsigned executables create an impediment to this.

PDC · July 27, 2023, 3:14am

What executables are you referring to? If you’re referring to the main installers, which ones are not signed and what’s the URL where you’re downloading them from?

If you’re referring to executables that are installed by Brave – I’ve just looked and there appears to be one EXE that is not digitally signed. Is this the executable you’re referring to as not signed, or are you referring to something else?

C:\Program Files (x86)\BraveSoftware\Update\Download\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\115.1.56.14\brave_installer-delta-x64.exe

MD5    : 8976c68034314331c209cc46d9f13cb5
SHA1   : 80086ab851409e6fcb590881f3988661a28e3d19
SHA256 : bb7fc964f8e7393b10f1aac79d4fdf30bddc0894919d221ba4ea2dbd47c11644

https://www.virustotal.com/gui/file/bb7fc964f8e7393b10f1aac79d4fdf30bddc0894919d221ba4ea2dbd47c11644/details

If this is the one you mean, the filename indicates it could be some sort of delta patching, however I’m not sure why this isn’t signed. I would be interested to know as well, as it doesn’t seem great to be using unsigned executables.

Screenshot:

PowerShell code (from above screenshot):

# Path
$Path = @(
    "$env:ProgramFiles\BraveSoftware"
    "${env:ProgramFiles(x86)}\BraveSoftware"
    "$env:AllUsersProfile\BraveSoftware"
    "$env:LocalAppData\BraveSoftware"
)

# Run
Get-ChildItem -Recurse -File -Path $Path | 
Where-Object { ($_.Extension -eq ".exe") -or ($_.Extension -eq ".dll") } | 
Get-AuthenticodeSignature | 
Where-Object { ($_.Status -ne "Valid") } | 
Format-List -Property Path, Status, StatusMessage, SignatureType, IsOSBinary, SignerCertificate

shanel · July 27, 2023, 5:56am

The Delta update you are referring to is the one that failed for me. I just made the request more general in-case there were any other unsigned binaries that I was not aware of.

Also, thanks for including the powershell, that’s handy.

PDC · July 27, 2023, 5:33pm

I wonder whether this is something worth reporting on GitHub? To me, these delta installers not being digitally-signed does not seem like correct behaviour and is something that needs to be addressed – rather than a feature request here where it could be missed.

Checking the last six Brave “Stable Release” versions (see below), it appears Brave stopped signing these delta executables with the jump from Brave 1.52 to Brave 1.56 (Chromium 114 to Chromium 115) on 19 July 2023. The Brave 1.52 delta installers are correctly signed.

The last six Brave “Stable Release” delta installers are listed below.

From:
Release v1.56.11 (Chromium 115.0.5790.102)
To:
Release v1.56.14 (Chromium 115.0.5790.114)
Status:
Not digitally-signed
Executable:

https://updates-cdn.bravesoftware.com/delta/Brave-Release/x64-rel/win/115.1.56.14/115.1.56.11/brave_installer-delta-x64.exe

From:
Release v1.56.9 (Chromium 115.0.5790.98)
To:
Release v1.56.11 (Chromium 115.0.5790.102)
Status:
Not digitally-signed
Executable:

https://updates-cdn.bravesoftware.com/delta/Brave-Release/x64-rel/win/115.1.56.11/115.1.56.9/brave_installer-delta-x64.exe

From:
Release v1.52.130 (Chromium 114.0.5735.198)
To:
Release v1.56.9 (Chromium 115.0.5790.98)
Status:
Not digitally-signed
Executable:

https://updates-cdn.bravesoftware.com/delta/Brave-Release/x64-rel/win/115.1.56.9/114.1.52.130/brave_installer-delta-x64.exe

From:
Release v1.52.129 (Chromium 114.0.5735.198)
To:
Release v1.52.130 (Chromium 114.0.5735.198)
Status:
Digitally-signed
Executable:

https://updates-cdn.bravesoftware.com/delta/Brave-Release/x64-rel/win/114.1.52.130/114.1.52.129/brave_installer-delta-x64.exe

From:
Release v1.52.126 (Chromium 114.0.5735.133)
To:
Release v1.52.129 (Chromium 114.0.5735.198)
Status:
Digitally-signed
Executable:

https://updates-cdn.bravesoftware.com/delta/Brave-Release/x64-rel/win/114.1.52.129/114.1.52.126/brave_installer-delta-x64.exe

From:
Release v1.52.122 (Chromium 114.0.5735.110)
To:
Release v1.52.126 (Chromium 114.0.5735.133)
Status:
Digitally-signed
Executable:

https://updates-cdn.bravesoftware.com/delta/Brave-Release/x64-rel/win/114.1.52.126/114.1.52.122/brave_installer-delta-x64.exe