fix(windows): sign inner Atomic-Chat.exe at bundle time to fix AV false positives (ATO-248)#142
Draft
cursor[bot] wants to merge 1 commit into
Draft
fix(windows): sign inner Atomic-Chat.exe at bundle time to fix AV false positives (ATO-248)#142cursor[bot] wants to merge 1 commit into
cursor[bot] wants to merge 1 commit into
Conversation
…nd (ATO-248) Add bundle.windows.signCommand to tauri.windows.conf.json pointing to a new wrapper script windows/sign-binary.bat. Tauri calls this script for every binary before packaging them into the NSIS/MSI installer, so Atomic-Chat.exe carries a valid Authenticode signature inside the installer. The wrapper calls signtool.exe using the DigiCert KSP: signtool sign /csp "DigiCert Signing Manager KSP" /kc "%SM_CERT_ALIAS%" ... It exits 0 when SM_CERT_ALIAS is absent, keeping local dev builds unaffected. The CI build step is updated to pass the four DigiCert KSP secrets (SM_API_KEY, SM_CLIENT_CERT_PASSWORD, SM_HOST, SM_CERT_ALIAS) so the KSP DLL can authenticate to DigiCert One when signtool.exe is invoked during yarn tauri build. SM_CLIENT_CERT_FILE is already propagated via GITHUB_ENV by the existing "Setup DigiCert KeyLocker" step. The post-build jsign step that signs the NSIS installer and MSI is unchanged. Fixes: ATO-248 (Kaspersky Trojan-Downloader / UDS false positives) Co-authored-by: Mike <Vect0rM@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe Your Changes
bundle.windows.signCommandtosrc-tauri/tauri.windows.conf.jsonpointing to a new wrapper scriptsrc-tauri/windows/sign-binary.batsigntool.exewith the DigiCert KSP (/csp "DigiCert Signing Manager KSP" /kc "%SM_CERT_ALIAS%"); exits 0 gracefully whenSM_CERT_ALIASis absent (local dev / fork-PR builds)SM_API_KEY,SM_CLIENT_CERT_PASSWORD,SM_HOST,SM_CERT_ALIAS) so the KSP DLL can authenticate duringyarn tauri buildRoot cause
The post-build
jsignstep in.github/workflows/release.ymlsigned only the NSIS installer and MSI. The innerAtomic-Chat.exeembedded in the NSIS installer was left unsigned. Kaspersky unpacks installers before scanning and finds the unsigned binary, triggering:Trojan-Downloader.Win32.Agent.xydtva(heuristic on unsigned binary that downloads/launches executables at runtime)UDS:DangerousObject.Multi.Generic(KSN cloud reputation: new hash, low prevalence)The fix
Tauri's
bundle.windows.signCommandruns before NSIS packaging — the bundler calls it for every binary (main exe + sidecar EXEs). This ensuresAtomic-Chat.execarries a valid Authenticode signature before it is embedded in the installer.The
sign-binary.batwrapper exits 0 (skip) whenSM_CERT_ALIASis absent, keeping local dev builds unaffected. The existingjsignpost-build step that signs the installer itself is unchanged.Verification
tauri.windows.conf.jsonvalidates as valid JSON ✓sign-binary.batexits 0 whenSM_CERT_ALIASis unset ✓Atomic-Chat.exefrom the NSIS installer, runsigntool verify /pa Atomic-Chat.exeto confirm the signatureFixes Issues
Self Checklist
jan-cli.exeand bundled llama-server DLLs (lower-risk, resources not in externalBin so not handled by signCommand)