The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Robert Franklin <rcf34 AT cam.ac.uk>]

On 19 Jan 2016, at 19:10, Tomasz Wolniewicz 
<twoln AT umk.pl>
 wrote:

> Could you provide us with some more details, the operating system and the 
> institution for which the installer is downloaded?
> 
> My Windows 10 does not throw any warnings on installers I have tested.

We've had sporadic reports of this problem over the last couple of days as 
well and I think this might be the cause...


Firstly, we use a well-known CA-signed certificate for eduroam and have just 
(as of 7:30am this last Monday) rolled it over to a new 3-year one from 
QuoVadis (the Jisc/Janet UK certificate provider).  As such, we updated our 
CAT to use the CA certificate and have had a lot of users re-downloading the 
CAT to fix their connections in the past couple of days.

That we've changed the CAT details has obviously caused a new CAT installer 
to be built and signed by the CAT website.


The other change is that has happened since we last changed our CAT is the 
1st January 2016 where Microsoft appear to have changed their policy on code 
signing certificates:

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

... basically, Windows 7 and above don't accept SHA-1 certificates for code 
signing after this date.  The installer appears (from what little I know 
about Windows) to use a SHA-256 certificate, but the intermediate CAs (and 
root - although I don't believe that matters) DO use SHA-1 - these are: The 
USERTrust Network; UTN-USERFirst-Object; TERENA Code Signing CA; TERENA.

Microsoft don't explain, in the above post, what the effect on chain 
certificates is, but I suspect they probably would be untrusted and trigger 
this problem.


On a Windows 10 machine, if I turn on SmartScreen and download our new CAT, I 
get an error "Windows protected your PC / Windows SmartScreen prevented an 
unrecognised application from starting.".  I can press 'More info' and then a 
'Run anyway' to bypass it (at least as an administrator).

If I turn off SmartScreen, the program runs as normal (I get the normal "Open 
File - Security Warning" box and have to push 'Run').

This only applies to executables with the "Mark of the Web" (which, for an 
executable appears to be an NTFS stream) - if I copy the file to a FAT USB 
stick, it will run fine.  If I copy it back, it also runs fine; if I add the 
"Mark of the Web" back onto the executable manually, it will not run with 
SmartScreen enables (but will without).


In short, currently, I'm suspecting the SHA-1 intermediate certificates used 
to sign the CAT installer, but I can't really test any further.

Does this seem plausible?

  - Bob


-- 
Bob Franklin   
rcf34 AT cam.ac.uk
 / +44 1223 748479
Networks, University Information Services, University of Cambridge