Hi, This is a note I sent to the x2go-dev list before I managed to find and follow the steps to get myself added to the list. From some back-and-forth with the moderator, it appears that x2go already has a detached signature, but our IT department told me that doesn't work, they need the signature to be embedded in the installer. I gather that the expense of a trusted CA-issued certificate is out of your budget, but it sounded like our IT department would be ok with a self-signed certificate (not ideal but it sounded like that would satisfy the signing requirement). Would it be possible to issue the current Windows release in an internally signed format?
====================================================================
Sometimes, like here, in the corporate world there are restrictions on what software is allowed to be used, and in Dell's case one restriction is that an installer package needs to be digitally signed to verify that the installer we use is in fact the genuine article. Unfortunately the MS Windows installer at http://code.x2go.org/releases/X2GoClient_latest_mswin32-setup.exe does not appear to be digitally signed, so they won't let us use it.
Would it be possible to create and publish a Windows installer that is digitally signed by the x2go organization? It's a very useful tool for our environment where most of our work is done on systems remote from our desktops, and is better performing and more capable than any alternative we've found, especially over WAN links.
Thanks for considering our request,
-Morgan
Internal Use - Confidential
Hi Morgan,
On Mo 14 Jul 2025 15:58:02 CEST, Clark, Morgan wrote:
Hi, This is a note I sent to the x2go-dev list before I managed to find
and follow the steps to get myself added to the list. From some
back-and-forth with the moderator, it appears that x2go already has
a detached signature, but our IT department told me that doesn't
work, they need the signature to be embedded in the installer. I
gather that the expense of a trusted CA-issued certificate is out of
your budget, but it sounded like our IT department would be ok with
a self-signed certificate (not ideal but it sounded like that would
satisfy the signing requirement). Would it be possible to issue the
current Windows release in an internally signed format?====================================================================
Sometimes, like here, in the corporate world there are restrictions
on what software is allowed to be used, and in Dell's case one
restriction is that an installer package needs to be digitally
signed to verify that the installer we use is in fact the genuine
article. Unfortunately the MS Windows installer at
http://code.x2go.org/releases/X2GoClient_latest_mswin32-setup.exe
does not appear to be digitally signed, so they won't let us use it.Would it be possible to create and publish a Windows installer that
is digitally signed by the x2go organization? It's a very useful
tool for our environment where most of our work is done on systems
remote from our desktops, and is better performing and more capable
than any alternative we've found, especially over WAN links.Thanks for considering our request,
-Morgan
We can surely GPG-sign the installer but I am not sure if that is
helpful to you.
Of course, we have no current plans as a community to get the
X2GoClient_latest_mswin32_setup.exe signed by some official entity
such as Microsoft.
So, what kind of signing do you have in mind? Any docs that explain
the required process?
Mike
--
DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Hi, thanks for writing back. I'm not a Windows developer, but I think what we need is something like the description at https://stackoverflow.com/questions/252226/signing-a-windows-exe-file. Use SignTool.exe (from the Windows SDK) to apply a certificate to the .exe, probably after using MakeCert.exe (also from the Windows SDK) to create that self-signed certificate.
-Morgan
Internal Use - Confidential -----Original Message----- From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Sent: Wednesday, July 23, 2025 1:09 PM To: Clark, Morgan <Morgan.Clark@dell.com> Cc: x2go-dev@lists.x2go.org Subject: [X2Go-Dev] Re: digitally signed x2go client installer package?
[You don't often get email from mike.gabriel@das-netzwerkteam.de. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
[EXTERNAL EMAIL]
Hi Morgan,
On Mo 14 Jul 2025 15:58:02 CEST, Clark, Morgan wrote:
Hi, This is a note I sent to the x2go-dev list before I managed to find and follow the steps to get myself added to the list. From some back-and-forth with the moderator, it appears that x2go already has a detached signature, but our IT department told me that doesn't work, they need the signature to be embedded in the installer. I gather that the expense of a trusted CA-issued certificate is out of your budget, but it sounded like our IT department would be ok with a self-signed certificate (not ideal but it sounded like that would satisfy the signing requirement). Would it be possible to issue the current Windows release in an internally signed format?
====================================================================
Sometimes, like here, in the corporate world there are restrictions on what software is allowed to be used, and in Dell's case one restriction is that an installer package needs to be digitally signed to verify that the installer we use is in fact the genuine article. Unfortunately the MS Windows installer at http://code.x2go.org/releases/X2GoClient_latest_mswin32-setup.exe does not appear to be digitally signed, so they won't let us use it.
Would it be possible to create and publish a Windows installer that is digitally signed by the x2go organization? It's a very useful tool for our environment where most of our work is done on systems remote from our desktops, and is better performing and more capable than any alternative we've found, especially over WAN links.
Thanks for considering our request,
-Morgan
We can surely GPG-sign the installer but I am not sure if that is helpful to you.
Of course, we have no current plans as a community to get the X2GoClient_latest_mswin32_setup.exe signed by some official entity such as Microsoft.
So, what kind of signing do you have in mind? Any docs that explain the required process?
Mike
--
DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de/
Hi Morgan,
Am 23.07.25 um 21:41 schrieb Clark, Morgan:
Hi, thanks for writing back. I'm not a Windows developer, but I think what we need is something like the description athttps://stackoverflow.com/questions/252226/signing-a-windows-exe-file. Use SignTool.exe (from the Windows SDK) to apply a certificate to the .exe, probably after using MakeCert.exe (also from the Windows SDK) to create that self-signed certificate.
This makes no sense at all. If you're running a locked-down environment where only signed executables are allowed (which is a sensible thing to do), a self-signed certificate won't help you, because it doesn't have a trust chain down to a root certificate that your systems know and trust.
If you decide to trust self-signed certificates in such an environment, bypassing the entire trust chain, you can just stop locking down the environment and save yourself the time and effort - you've just bypassed all the security gains the setup was supposed to bring.
In fact, you could probably generate such a signature yourself and no one in your environment would notice it was you if you're really allowing self-signed certs (again, setting up your enviroment that way is *THE TOTAL OPPOSITE OF SMART*).
If that's what Dell is allowing internally, then our reply is: Sorry, we do not cater to corporate stupidity. You have all the tools needed to shoot yourself in the foot available to yourself, we don't want to be a part of it.
If, on the other hand, you wanted to do it the proper way, the one that would actually improve security, with an official certificate, you'd offer to support the X2Go project financially (not just once, but in an ongoing fashion) so we could afford getting the required infrastructure in place, jump through all the required hoops to get an official signing certificate, etc.
However, given the low amount of active volunteers and the fact that the project has been underfunded for several years now (if you browse our donation pages, you will see unfulfilled needs going back to summer 2024, with an open amount over 3 700 EUR in total), I doubt this is going to happen soon. We just have more pressing needs to worry about at the moment - basically, "keeping the lights on".
We keep getting requests both on- and off-list from companies that we should do this and that for them, but when we mention that we need funding to add new features and fix bugs, the responses range from insults like "F--- you, I'll just use $RANDOM_OTHER_SOFTWARE instead" (of course, in the uncensored form) and "how dare you, you claim to be a free software project so you have to work for us for free, too" to "oh, nevermind, I was just asking".
Now, if Dell suddenly had a change of heart and wants to support us financially, we sure as hell won't say no. But the past experience we've had with your employer wasn't exactly stellar (when we asked for tech support for two Dell-made devices that were bought together, but wouldn't play nicely with each other, we were basically told to either use Dell's own operating systen instead of our own X2Go ThinClient image or get lost), so I'm definitely not getting my hopes up.
[...]
Internal Use - Confidential
You can tag your E-Mails Internal and Confidential as much as you like, this is a public mailing list, and thus can be read and archived by anyone. You agreed to our terms and conditions when you signed up - no amount of after-the-fact legalese will change that.
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-
Clark, Morgan -
Mike Gabriel -
Stefan Baur