Looks like a bug report is already there and has been there since Firefox 106. What exactly are you asking? Its been on their radar for a while now.

Stay woke. Fascists creepin. They gon’ find you. Gon’ catch you sleepin.

If its an Android or iOS phone, then it will prompt for a password or pin after a few failed fingerprint scans.

Fingerprint is just there for convenience, but you can get around it in most cases.

if we remove microsoft signing as an option for whatever reason (which we have) then it’s still very possible, and very easy to implement signed updates into your own custom update mechanism

Im not convinced

the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s

I didn’t say a Microsoft signing key is required. Im saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer.

this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”

The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place. Notepad++ even said that they moved hosting providers after this happened to them.

Per https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

adding signing into that existing process without any 3rd party involvement is both free, and very very easy

Can you point out an existing open source application that runs on Windows that only uses GPG signatures?

Agreed.

If the updates were signed, then the malicious actor could not push their own updates. It would fail authentication and integrity checks.

The gpg sig method works great on other operating systems that aren’t Windows or MacOS, but Windows and MacOS do not use that method to verify the authenticity of developer’s certificates.

The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system. The OS will not allow it to run without it being signed.

The malicious actor would not be able to drag and drop their malware in without the Notepad++ certificate. The signature wouldn’t match.

The certificate is not only doing authentication of the developer, but it is also doubling as an integrity check to make sure the code hasn’t been modified.

And they’re both ass tbh because the community edition for each one has arbitrary limitations built in, and you need a premium license to unlock its full capabilities.

Im not sure. I don’t have Windows to look at the code signing certificate they are using (if they are using one at all). Hopefully someone else can check and let us know.

If Notepad++ had a valid signing certificate, you wouldn’t be able to run the malicious binary in the update. How is that not relevant?

After an update on Windows, you must close the application to clear the RAM before launching the updated exe.

Upon launching the new binary exe, Microsoft will check the code signing certificate and make sure its valid before letting it execute. If its not signed, you will be met with a warning that the binary publisher is unknown, and I believe that Microsoft won’t even let it launch nowadays

The answer to that question is honestly super complicated, and it has its own job title tbh. Managing code signing certificates can be really complex depending on the software.

This gist kinda covers the basics

https://gist.github.com/MangaD/e8f67fb39a35abdbf4ad26711c5957cc

After you install the update, which exe will you execute after the app restarts?

No, because you wouldn’t be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft’s security software in the process.

I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn’t have to deal with Microsofts method of signing software, but that kind of backfired on them.

Looks like cat20a tbh, although that bend radius might be out of spec

How many times has this happened to Notepad++ now?

If its an authenticator app, then its password based, as ultimately the password or pin is needed to unlock the phone.

If its a standalone authenticator device, then yes thats MFA. But like I said, its the most expensive option since you would have to purchase devices.

Fingerprint with an RFID badge is MFA with no passwords.

Something you have and something you are is the most expensive MFA combination, which is why it isn’t common.

How about Firefox?