Advice Request Glasswire's SHA-256 hash doesn't match the one listed on their website

[artek]

Can anyone else test this? I went to download glasswire from the official glasswire site and the install file isn't digitally signed and the SHA-256 hash doesn't match the one listed on their website. In addition to this, Edge warns about the file being not commonly downloaded. I seem to remeber glasswire always being digitally signed so this is pretty weird. The install file from virustotal:

SHA-256: a693c2c6d577eaf5e4d36b0195e449b2840710aa0c14fce282fa1f459b3d9e6d

VirusTotal

VirusTotal

www.virustotal.com

 

[oldschool]

Can anyone else test this?

Just did and you're correct, they don't match.

 

[artek]

I guess the question now is if the developers modified the installer and forgot to update the hash or is this a supply chain attack?

 

[a090]

I guess the question now is if the developers modified the installer and forgot to update the hash or is this a supply chain attack?

Might want to email their devs and give ‘em a wake-up call. Their software should be signed. Strike 1. Their installer hash should match up with the site. Strike 2. And Strike 3 might be malware in that unverified installer. I wouldn’t risk it.

 

[Zero Knowledge]

From website downloaded version just this minute: Version 3.3.499, 71.6MB

Name: GlassWireSetup.exe
Size: 75102008 bytes (71 MiB)
SHA256: 97408cde74d2889cfc260ee854cdbd4a523f3367f589a28acfacb93d3a66704d

7ZIP SHA-256 check. Does that work?

 

[artek]

Might want to email their devs and give ‘em a wake-up call. Their software should be signed. Strike 1. Their installer hash should match up with the site. Strike 2. And Strike 3 might be malware in that unverified installer. I wouldn’t risk it.

I made a post on their support forums. I didn't see a contact email when I initially looked.

From website downloaded version just this minute: Version 3.3.499, 71.6MB

Name: GlassWireSetup.exe
Size: 75102008 bytes (71 MiB)
SHA256: 97408cde74d2889cfc260ee854cdbd4a523f3367f589a28acfacb93d3a66704d

7ZIP SHA-256 check. Does that work?

That's different from the one I got and also different from the SHA-256 hash listed on their site. That's very strange.

 

[TairikuOkami]

File is not signed

That is the red flag right there. While the files inside are properly signed, the installer could include anything. They have most likely uploaded the unsigned exe instead of the correct one?

The external link on Softpedia contains the proper version, digitally signed, the hash matches.

VirusTotal

VirusTotal

www.virustotal.com

P.S.: So much for trusting the downloads from devs homepage.

 

[Freki123]

Where can I see that the file is not signed right (Other than VT)? VS said the signing is ok and I thought I understood the text in the "digital signature tab" right. Or am I just looking at the wrong tab? bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 download 06.04.2023
VT says unsigned, VS says signing ok. I'm confused now

 

[TairikuOkami]

Where can I see that the file is not signed right (Other than VT)?

You need a dedicated hash app, but apps like 7-zip or winrar include CRC check.

 

[Freki123]

You need a dedicated hash app, but apps like 7-zip or winrar include CRC check.

Thanks for the answer. So what windows shows you under property's: "digital signature" is pretty much useless and you would have to use a dedicated hash app to recheck if the file is signed right?
edited

 

[artek]

Where can I see that the file is not signed right (Other than VT)? VS said the signing is ok and I thought I understood the text in the "digital signature tab" right. Or am I just looking at the wrong tab? bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 download 06.04.2023
VT says unsigned, VS says signing ok. I'm confused now

View attachment 274333

Thanks for the answer. So what windows shows you under property's: "digital signature" is pretty much useless and you would have to use a dedicated hash app to recheck if the file is signed right?
edited

Mine doesn't show the digital signature tab.

And edge still alerts me on download.

 

[TairikuOkami]

So what windows shows you under property's: "digital signature" is pretty much useless and you would have to use a dedicated hash app to recheck if the file is signed right?

No. What OP is referring to is a hash signature, every file has it. If the hash is the same, it proves that the file was not altered, but not really, who made it.

What Are MD5, SHA-1, and SHA-256 Hashes, and How Do I Check Them?

You'll sometimes see MD5, SHA-1, or SHA-256 hashes displayed alongside downloads during your internet travels, but not really known what they are.

www.howtogeek.com

Digital signature verifies, if the file was signed with the proper certificate authority like TLS on webpages and as such proves that the file is genuine even without a file hash.

What is Code Signing? | DigiCert FAQ

Code signing is the process of applying a certificate-based digital signature to a software binary or file to verify that the included code has not been tampered with since it was last signed. View this Code Signing FAQ page by DigiCert to learn more.

www.digicert.com

The file from the glasswire does not have a digital signature at all compared to the one on softpedia and it will not run on my system, it is unsigned, like Smart App Control checks.

 

[artek]

The

No. What OP is referring to is a hash signature, every file has it. If the hash is the same, it proves that the file was not altered, but not really, who made it.

What Are MD5, SHA-1, and SHA-256 Hashes, and How Do I Check Them?

You'll sometimes see MD5, SHA-1, or SHA-256 hashes displayed alongside downloads during your internet travels, but not really known what they are.

www.howtogeek.com

Digital signature verifies, if the file was signed with the proper certificate authority like TLS on webpages and as such proves that the file is genuine even without a file hash.

What is Code Signing? | DigiCert FAQ

Code signing is the process of applying a certificate-based digital signature to a software binary or file to verify that the included code has not been tampered with since it was last signed. View this Code Signing FAQ page by DigiCert to learn more.

www.digicert.com

The file from the glasswire does not have a digital signature at all compared to the one on softpedia and it will not run on my system, it is unsigned, like Smart App Control checks.

Are other people getting a version without a digital signature as well? After the 3CX supply chain attack, I enabled the registry fix for the "WinVerifyTrust Signature Validation Vulnerability." This might explain why I'm not seeing a digital signature on the executable. But again, I don't understand posting a file hash on the download page when none of our downloads match the hash listed by them.

10-year-old Windows bug with 'opt-in' fix exploited in 3CX attack

A 10-year-old Windows vulnerability is still being exploited in attacks to make it appear that executables are legitimately signed, with the fix from Microsoft still "opt-in" after all these years. Even worse, the fix is removed after upgrading to Windows 11.

www.bleepingcomputer.com

-edit-

I just tested the file on softpedia and it shows a digital signature for me in windows. It also shows the correct file hash of 916cd2f3ed8b599f7ace7639dc6763b272fdb21805f33da5b72b446899aa1c22. So, the registry tweak does not seem to be the culprit here.

It's just the download hosted on the main glasswire website that is modified.

 

[Freki123]

I just downloaded the gw setup from their homepage two mins ago. I get the same file I got two day ago.
I get SHA-256: bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 when I check it on VT.
And for that file I thought if they say "The digital signature is ok" (arrow on the right side) that it would mean that the file was signed? // While VT says it's unsigned.
Sorry for not explaining what I meant in a more clear way.

Btw I wrote support about the hash/signature problem. But since it's weekend I wouldn't expect an answer soon.

@TairikuOkami
Thanks for the links. What I meant was the digital signature of the SHA-256: bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14. To the best of my knowledge I think it's valid despite what VT says.

 

[artek]

I just downloaded the gw setup from their homepage two mins ago. I get the same file I got two day ago.
I get SHA-256: bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 when I check it on VT.
And for that file I thought if they say "The digital signature is ok" (arrow on the right side) that it would mean that the file was signed? // While VT says it's unsigned.
Sorry for not explaining what I meant in a more clear way.

Btw I wrote support about the hash/signature problem. But since it's weekend I wouldn't expect an answer soon.
View attachment 274347
@TairikuOkami
Thanks for the links. What I meant was the digital signature of the SHA-256: bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14. To the best of my knowledge I think it's valid despite what VT says.View attachment 274368

I wonder why you're getting a signed file but me and @TairikuOkami are not.

 

[Freki123]

No clue sorry. One thing it could be I got bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 as a download result while the op got a693c2c6d577eaf5e4d36b0195e449b2840710aa0c14fce282fa1f459b3d9e6d (at lest that's the way I understood it). Bonus fun fact: When I did the following changed to the windows signature check the files that were labeled before as signed are now labeled as not signed anymore

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

With that being said I will wait for the support answer. It gets to confusing for me now

 

[artek]

No clue sorry. One thing it could be I got bea171aff7e78609171a701f0a54ad1b76128e530f8098333b42b69ec5699a14 as a download result while the op got a693c2c6d577eaf5e4d36b0195e449b2840710aa0c14fce282fa1f459b3d9e6d (at lest that's the way I understood it). Bonus fun fact: When I did the following changed to the windows signature check the files that were labeled before as signed are now labeled as not signed anymore

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

With that being said I will wait for the support answer. It gets to confusing for me now

That's what I thought in the beginning, that it might be that registry tweak, but I was unsure when another user reported it as also being unsigned.

 

[artek]

Another glasswire user just reported the file that he downloaded was not signed. What are the chances that all three of us have that registry tweak?

 

[Freki123]

What are the chances that all three of us have that registry tweak?

I can't answer that part. I can only tell you that I have some files (e.g game installer) that were counted as signed and after I applied the "registry fix" the "digital signatures" tab was gone. So before the "tweak" windows treated them as signed and afterwards they were not signed anymore for windows.

Spoiler: MS sec advisor

Microsoft Security Advisory 2915720

Update on Windows Authenticode Signature Verification changes: Opt-in feature for improved security. Learn more at Microsoft Security Advisory 2915720.

learn.microsoft.com

Quotes from it:
However, as we worked with customers to adapt to this change, we determined that the impact to existing software could be high. Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement. The underlying functionality for stricter verification remains in place, however, and can be enabled at customer discretion.

Is there any possibility of a signature being recognized as non-compliant with the stricter verification process if I sign using non-Microsoft-provided signing tools?
Yes. For customers opting to enable the stricter verification behavior, signing binaries with non-Microsoft-provided signing tools runs the risk of signatures being recognized as non-compliant with the stricter verification behavior. Using Microsoft products, or signature tools Microsoft provides, such as signtool.exe, helps to ensure that signatures are recognized as compliant.

Tldr: My guess is the check is quite strict and some publisher never followed the recommendations to pass that strict checks.

 

[struppigel]

Depending on whether you download the file from here: Free Firewall Software by GlassWire
Or from here: GlassWire Software Version Changes List

You will either get one that matches the hash or one that does not match.

The only significant difference between both files is tracking information in the installer that shows up as not signed on VT:

Putting the tracking info into installers is common practice. Doing so in the certificate structure does not break the signer information for most systems. The only systems where that is broken is when you enabled strict signature enforcement in the registry which some of you have done.

More info about that is here: Caveats for Authenticode Code Signing - IEInternals - Site Home - MSDN Blogs

Now it seems to me that all this is on purpose. GlassWire cannot provide correct hashes AND at the same time store tracking information. So they decided to put different installers on their pages in the hopes that the ones checking the hash will use the download button on the hash page.

For all I know both files are clean, but I would still use the one from this site: GlassWire Software Version Changes List