Skip to content

fix(windows): sign inner Atomic-Chat.exe at bundle time to fix AV false positives (ATO-248)#142

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/ATO-248-linear-bug-handling-66a4
Draft

fix(windows): sign inner Atomic-Chat.exe at bundle time to fix AV false positives (ATO-248)#142
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/ATO-248-linear-bug-handling-66a4

Conversation

@cursor

@cursor cursor Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Describe Your Changes

  • Add bundle.windows.signCommand to src-tauri/tauri.windows.conf.json pointing to a new wrapper script src-tauri/windows/sign-binary.bat
  • New script calls signtool.exe with the DigiCert KSP (/csp "DigiCert Signing Manager KSP" /kc "%SM_CERT_ALIAS%"); exits 0 gracefully when SM_CERT_ALIAS is absent (local dev / fork-PR builds)
  • Update the Windows CI build step to pass the four DigiCert KSP secrets (SM_API_KEY, SM_CLIENT_CERT_PASSWORD, SM_HOST, SM_CERT_ALIAS) so the KSP DLL can authenticate during yarn tauri build
  • Add ADR entry in AGENTS.md §7

Root cause

The post-build jsign step in .github/workflows/release.yml signed only the NSIS installer and MSI. The inner Atomic-Chat.exe embedded in the NSIS installer was left unsigned. Kaspersky unpacks installers before scanning and finds the unsigned binary, triggering:

  • Trojan-Downloader.Win32.Agent.xydtva (heuristic on unsigned binary that downloads/launches executables at runtime)
  • UDS:DangerousObject.Multi.Generic (KSN cloud reputation: new hash, low prevalence)

The fix

Tauri's bundle.windows.signCommand runs before NSIS packaging — the bundler calls it for every binary (main exe + sidecar EXEs). This ensures Atomic-Chat.exe carries a valid Authenticode signature before it is embedded in the installer.

// src-tauri/tauri.windows.conf.json
"signCommand": "cmd /c windows\\sign-binary.bat %1"

The sign-binary.bat wrapper exits 0 (skip) when SM_CERT_ALIAS is absent, keeping local dev builds unaffected. The existing jsign post-build step that signs the installer itself is unchanged.

Verification

  • tauri.windows.conf.json validates as valid JSON ✓
  • sign-binary.bat exits 0 when SM_CERT_ALIAS is unset ✓
  • Residual manual step: build a tagged release, extract Atomic-Chat.exe from the NSIS installer, run signtool verify /pa Atomic-Chat.exe to confirm the signature

Fixes Issues

Self Checklist

  • Added relevant comments, esp in complex areas
  • Updated docs (ADR entry in AGENTS.md §7)
  • Created issues for follow-up changes or refactoring needed
    • Follow-up: sign jan-cli.exe and bundled llama-server DLLs (lower-risk, resources not in externalBin so not handled by signCommand)
Open in Web View Automation 

…nd (ATO-248)

Add bundle.windows.signCommand to tauri.windows.conf.json pointing to a
new wrapper script windows/sign-binary.bat. Tauri calls this script for
every binary before packaging them into the NSIS/MSI installer, so
Atomic-Chat.exe carries a valid Authenticode signature inside the
installer.

The wrapper calls signtool.exe using the DigiCert KSP:
  signtool sign /csp "DigiCert Signing Manager KSP" /kc "%SM_CERT_ALIAS%" ...

It exits 0 when SM_CERT_ALIAS is absent, keeping local dev builds
unaffected.

The CI build step is updated to pass the four DigiCert KSP secrets
(SM_API_KEY, SM_CLIENT_CERT_PASSWORD, SM_HOST, SM_CERT_ALIAS) so the
KSP DLL can authenticate to DigiCert One when signtool.exe is invoked
during yarn tauri build. SM_CLIENT_CERT_FILE is already propagated via
GITHUB_ENV by the existing "Setup DigiCert KeyLocker" step.

The post-build jsign step that signs the NSIS installer and MSI is
unchanged.

Fixes: ATO-248 (Kaspersky Trojan-Downloader / UDS false positives)

Co-authored-by: Mike <Vect0rM@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant