MeshCentral - Authenticode Module and Automatic Agent Signing

This week is a crazy feature and in many ways an industry first for this type of software. Last week, the first ever purely NodeJS implementation of Authenticode signing was built and added to MeshCentral making it capable of signing Windows executables from any operating system. On top of that, MeshCentral now generates a code signing certificate as part of its standard certificates and automatically signs the Windows Agents. There is even an option to automatically lock the signed agent to only connect to the server that signed the agent. The net result is a Window agent that is uniquely signed to its server. In detail:

  • MeshCentral code signing certificate. MeshCentral already generates many certificates when it first runs: Root, Agent, MPS and HTTPS. With the latest release, a code signing certificate is also generated, issued from the generated self-signed server root certificate. This private code signing certificate is not globally trusted unless the server root cert is trusted. A purchased code signing certificate from a certificate authority (CA) is still needed if you want a correctly signed agent. What’s new is that the new generated code signing certificate is now used by default to sign the Windows agents.
  • Automatic signing of Windows agents. MeshCentral will now automatically sign the Windows agents and place the resulting binaries in the “meshcentral-data/signedagents” folder. On server startup, MeshCentral will check that the agents in the folder are correctly signed, and the hash matches the expected value. If there is something not right, the agent will be resigned and replaced insuring that the agents being used match the server’s code signing certificate and signing settings.
  • Sign-locking the agent. The Mesh Agent has a feature to check that its own signature includes instructions to lock the agent to only connect to a specific server. With the latest automated signing built-into MeshCentral, you can make use of the agent’s sign-locking feature. Just add “AgentSignLock”: true in the settings section of the config.json and the server will add the right signature parameters to lock the agent to the server. This provides extra trust that a signed agent can’t be miss-used.
  • Authenticode-JS. The Authenticode module in MeshCentral is an industry first. Before this, there where no purely NodeJS implementations of Authenticode signing available. Its usage goes beyond MeshCentral and so, the module was made available as its own standalone tool. Called Authenticode-JS on NPM, its can be used both as a module and as a command line tool and allows anyone to look at signature information, sign or un-sign an executable and even to generate a self-signed certificate for code signing. This should be super useful to many; a YouTube demonstration of this tool has already premiered on the MeshCentral YouTube channel.

Many other features have been added and bug fixes included. As usual, feedback is appreciated. If you see any problems or need support on something, please create a new issue on GitHub or help other users. For more information, visit the portal at https://meshcentral.com.

Enjoy!
Ylian
MeshCentral, Blog, Twitter,
Reddit, GitHub, YouTube.






Popular posts from this blog

Starting work at Microsoft

Image
Hi everyone. It’s been a while since the last blog post and I wanted up update everyone on what is going on. As many of you know already from a discussion on GitHub , Bryan and I have been laid-off from Intel in early November 2022. This was quite a surprise as MeshCentral, MeshCommander, MeshCMD and other tools where widely used. This said, Intel has been having poor financials and Bryan and I where part of a very large first wave of downsizing by the company that involved many people that I know and worked with for a long time. I had been working for Intel for over 25 years having started in September 1998. Over the years I worked on IPsec key negotiation, Universal Plug & Play, DLNA and Intel® AMT. I loved working on all these projects and especially loved working with the open-source community on Mesh projects. Obviously, this was not my decision and Bryan and I had look for what comes next. One option was to continue working on MeshCentral as part of another company or with
Read more

MeshCentral - Windows ARM64, NodeJS v11, NPM Packages

Image
Hi all. It's been a while since I last posted and now that I am settling a bit more in my work at Microsoft, I have a bit of time to occasionally look after MeshCentral again. It's about time, there where a bunch of things that needed to get fixed. Before that, I want to say that I am doing great. I am working on Microsoft Forms which is one of the offerings of Microsoft 365. For kicks, I started a YouTube channel on Microsoft Forms here during a Microsoft hacking week. I tried to up my game since the videos I last published for MeshCentral. Also, I wanted to share pictures below. I was at a Tesla Supercharger last weekend and, by luck, got to see a Tesla Cybertruck in person. It's very big. Obviously, this is a release candidate driven by a Tesla employee. I saw it after attempting to see the solar eclipse over Oregon, but sadly, too many clouds and saw nothing. In any case, back to MeshCentral. In the last few months a few things have happened with the new releases. Wind
Read more

MeshCentral - New Windows Agents - Installation Dialog, Customization and Server Lock

Image
Lots is going on with MeshCentral, just yesterday Bryan Roe released a new MeshAgent for Windows with many improvements. An improved installation dialog box, logo customization and, to continue MeshCentral’s leadership in security, a new agent code signing locking feature that will surely be used by many to improve trust and security of their MeshCentral installation. In addition to this, we have many more server improvements to cover. In detail: MeshAgent with improved installation dialog box . The new MeshAgent for Windows is much improved with months of changes and bug fixes. The most noticeable feature is by far the new installation dialog with the new logo and connection details button. The new installer is a lot friendlier and easier on end-users. MeshAgent with improved customizations . In addition to all the existing agent customizations available in prior versions, the MeshAgent has new server settings for the installation text and logo. You can now set your own 200x200 PNG c
Read more