This document aims to response to the security concerns regarding .msi files (aka. Windows installers). We present several ways to address those concerns, e.g. using file checksums and self-signed certificates.

WIP ¹

🔎 Further details about the internals of MSI files are available from document MSI.md.

We publish our Windows installers (.msi files) together with their checksum files (.md5 and .sha265 files) on the Releases page of this project.

☛ The official Scala 2 download page does not provide checksum files for the published Scala 2 software distributions (see last section "Other resources").

Checksums are used to verify the integrity of files downloaded from an external source, eg. a Windows installer. In this project we wrote two small PowerShell scripts to check the Scala 2 and Scala 3 Windows installers available on our Releases page.

🔎 Concretely each PowerShell script downloads a .msi file and its .md5 (resp. .sha256) companion file and checks that the computed checksum is identical with the downloaded checksum.

> powershell -nologo -f bin\scala-checksum.ps1
Computed: 61A6E578022546ADF0B76A8C09BCD784  scala-2.13.7.msi
MD5 file: 61A6E578022546ADF0B76A8C09BCD784  scala-2.13.7.msi
The two checksums are equal
 
> powershell -nologo -f bin\scala3-checksum.ps1
Computed: F484CD8D12DDA43C88467CDB68FC18C9  scala3-3.1.0.msi
MD5 file: F484CD8D12DDA43C88467CDB68FC18C9  scala3-3.1.0.msi
The two checksums are equal

The above PowerShell cmdlets accept several options; for instance for scala3-checksum.ps1 :

• -version <value> where <value> equals 3.1.0 (default) or 3.0.2.
• -algorithm <name> where <name> equals md5 (default) or sha256
• -verbose(displays download command)

> powershell -nologo -f bin\scala3-checksum.ps1 -algorithm sha256
Computed: 484DAD60174CB44D496F8447399577EB5680F599923E3CED9E8D8D89D9254329  scala3-3.1.0.msi
SHA256 file: 484DAD60174CB44D496F8447399577EB5680F599923E3CED9E8D8D89D9254329  scala3-3.1.0.msi
The two checksums are equal

🔎 See also Chris's post What Is a Checksum (and Why Should You Care)? (September 2019).

Command signtool.exe (part of the Windows SDK) is the standard tool to sign executable files on MS Windows, i.e. the Windows installers in our case.

In project Scala3Features, for instance, we execute signtool to sign the file scala3-3.1.0.msi :

> signtool sign /p "<cert_pswd> -v /f "<certs_folder>\wix-examples.pfx" ^
           /d "<description>" ^
           /t "http://timestamp.digicert.com" /fd SHA256 ^
           "Y:\scala3-examples\Scala3Features\target\scala3-3.1.0.msi"
The following certificate was selected:
    Issued to: Stephane Micheloud
    Issued by: Stephane Micheloud
    Expires:   Sun Jul 23 01:02:42 2023
    SHA1 hash: 64C2...

Done Adding Additional Store
Successfully signed: Y:\scala3-examples\Scala3Features\target\scala3-3.1.0.msi

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

Figures 1.1 to 1.2 below show that a digital signature was indeed added to file scala3-3.1.0.msi :

Figure 1.1 - MSI File (Propperties window).

Figure 1.2 - Signature details (Certificate window).

[1] Security Resources ↩

• Security Update Guide - Vulnerabilities, by Microsoft, December 2021.
  • CVE-2021-41379, November 9, 2021.
    (issue resolved on November 22, 2021)
• 6 OpenSSL command options that every sysadmin should know by Anthony Critelli, March 2021.
• Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet by A. Notenboom, March 2004.

[2] Code Signing Resources ↩

• Authenticode Code Signing with Microsoft SignTool by DigiCert, December 2021.
• Code-Signing Best Practices by Microsoft, January 2007.

mics/December 2023 ▲