Closed
Bug 738733
Opened 12 years ago
Closed 6 years ago
[TB] Updater.exe: Need to improve UX of win7 user account control security confirmation dialogue when updating TB
Categories
(Thunderbird :: Installer, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: thomas8, Unassigned)
Details
Attachments
(2 files)
STR 1a) on Win7: TB > Help > About > Update (tested for EarlyBird) 2a) observe TB UX of Win7 User Account control (UAC) security confirmation dialogue in terms of "trustworthiness" And for comparison: 1b on Win7: FF > Help > About > Update 2b observe FF UX of Win7 User Account control (UAC) security confirmation dialogue in terms of "trustworthiness" Actual result 2a) TB UAC dialogue UX is that of an untrusted application, and user cannot even find the name of our product nor the publisher's name on the dialogue - basically, it could be any program trying to do bad things on my computer (see Screenshot 1 attached): [User Account Control] (!) Do you want to allow the following program of unknown origin to make changes to this computer? (exclamation mark icon on yellow background, read: Warning! This is untrusted and potentially harmful stuff!) Program name: updater.exe (updater of what???) Publisher: Unknown (not exactly a certificate of trust; I'm not sure what this is about and if it's safe to proceed) 2b) For comparison, FF (tested on beta channel) does the right thing: FF UAC dialogue UX is that of a trusted application, and user can find both the full name of their product and the publisher's name on the dialogue: [User Account Control] (?) Do you want to allow the following program to make changes to this computer? (Question mark icon on blue background, read: This is trusted content from verified origin, it's safe to go ahead) Program name: Firefox Software Updater (yes, I know that one) Verified Publisher: Mozilla Corporation (and it comes with a certificate of trust, so I feel confident to proceed) Expected result In the same manner as FF (see 2b), TB's updater.exe should ensure that updating TB on Win7 creates the UX of a trusted application (see Screenshot 2, attached in my next comment): [User Account Control] (?) Do you want to allow the following program to make changes to this computer? (Question mark icon on blue background, read: This is trusted content from verified origin, it's safe to go ahead) Program name: Thunderbird Software Updater (yes, I know that one) Verified Publisher: Mozilla Corporation (and it comes with a certificate of trust, so I feel confident to proceed) Ideally, use DailyBird, EarlyBird, Thunderbird Beta as applicable in the program name string, followed by "Software Updater".
Reporter | ||
Updated•12 years ago
|
Summary: [TB] Updater.exe: Need to improve UX of win7 user account control security check dialogue when updating TB → [TB] Updater.exe: Need to improve UX of win7 user account control security confirmation dialogue when updating TB
Reporter | ||
Comment 1•12 years ago
|
||
(In reply to Thomas D. from comment #0) > 2b) For comparison, FF (tested on beta channel) does the right thing: > FF UAC dialogue UX is that of a trusted application, and user can find both > the full name of their product and the publisher's name on the dialogue: See attached screenshot of updating Firefox. This bug requests that Thunderbird updater should look like this.
Reporter | ||
Comment 2•12 years ago
|
||
Can somebody confirm for TB *release channel* on Win7 if you get the untrusted confirmation dialogue of attachment 608790 [details], too?
Comment 3•12 years ago
|
||
It looks like something goes wrong as this is unsigned software. I didn't notice this on latest beta testing. I'm not sure we are signing nightlies and maybe firfox is.
Comment 4•12 years ago
|
||
We just haven't picked up signing yet for nightly or earlybird. Not sure when that's coming, but when it does this will be fixed automatically (I'll try and find some bug refs soon).
Comment 6•6 years ago
|
||
The nightlies are signed. It appears to be the same key that Firefox uses. $ wine sigcheck.exe -i thunderbird-61.0a1.en-US.win32.installer.exe Sigcheck v2.60 - File version and signature viewer Copyright (C) 2004-2017 Mark Russinovich Sysinternals - www.sysinternals.com Z:\home\rob\Downloads\thunderbird-61.0a1.en-US.win32.installer.exe: Verified: Signed Link date: 5:12 PM 5/5/2017 Signing date: 7:33 AM 5/7/2018 Catalog: Z:\home\rob\Downloads\thunderbird-61.0a1.en-US.win32.installer.exe Signers: Mozilla Corporation Cert Status: The revocation status of the certificate or one of the certificates in the certificate chain is unknown., The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale. Valid Usage: Code Signing Cert Issuer: DigiCert SHA2 Assured ID Code Signing CA Serial Number: 0C 53 96 DC B2 94 9C 70 FA C4 8A B0 8A 07 33 8E Thumbprint: B6B24AEA9E983ED6BDA9586A145A7DDD7E220196 Algorithm: sha256RSA Valid from: 8:00 PM 6/22/2017 Valid to: 8:00 AM 6/28/2019 DigiCert SHA2 Assured ID Code Signing CA Cert Status: The revocation status of the certificate or one of the certificates in the certificate chain is unknown., The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale. Valid Usage: Code Signing Cert Issuer: DigiCert Assured ID Root CA Serial Number: 04 09 18 1B 5F D5 BB 66 75 53 43 B5 6F 95 50 08 Thumbprint: 92C1588E85AF2201CE7915E8538B492F605B80C6 Algorithm: sha256RSA Valid from: 8:00 AM 10/22/2013 Valid to: 8:00 AM 10/22/2028 DigiCert Assured ID Root CA Cert Status: The revocation status of the certificate or one of the certificates in the certificate chain is unknown., The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale. Valid Usage: All Cert Issuer: DigiCert Assured ID Root CA Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39 Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Algorithm: sha1RSA Valid from: 8:00 PM 11/9/2006 Valid to: 8:00 PM 11/9/2031 Company: Mozilla Description: Firefox Product: Firefox Prod version: 4.42 File version: 4.42 MachineType: 32-bit
Flags: needinfo?(rob)
Comment 7•6 years ago
|
||
(In reply to Mark Banner (:standard8) from comment #4) > We just haven't picked up signing yet for nightly or earlybird. Not sure > when that's coming, but when it does this will be fixed automatically (I'll > try and find some bug refs soon). Thomas, do you agree this is now resolved?
Flags: needinfo?(bugzilla2007)
Comment 8•6 years ago
|
||
I realized last night that the issue wasn't with the Thunderbird installer, it's with the updater. So with that in mind, I just checked all of the EXE files in our nightly install. They all check out. Z:\home\rob\tmp\thunderbird\crashreporter.exe: Verified: Signed Signing date: 7:13 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Foundation Description: .FileVersion Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\maintenanceservice.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Foundation Description: .FileVersion Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\maintenanceservice_installer.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Corporation Description: Mozilla Maintenance Service Installer Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\minidump-analyzer.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Foundation Description: .FileVersion Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\pingsender.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Foundation Description: .FileVersion Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\plugin-container.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Corporation Description: Plugin Container for Thunderbird Daily Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\plugin-hang-ui.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Corporation Description: Plugin Hang UI for Thunderbird Daily Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\thunderbird.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Corporation Description: Thunderbird Daily Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\updater.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Foundation Description: Thunderbird Daily Software Updater Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit Z:\home\rob\tmp\thunderbird\WSEnable.exe: Verified: Signed Signing date: 7:14 AM 5/7/2018 Publisher: Mozilla Corporation Company: Mozilla Foundation Description: Thunderbird Daily Windows Search Integration Handler Product: Thunderbird Daily Prod version: 61.0a1 File version: 61.0a1 MachineType: 32-bit
Reporter | ||
Comment 9•6 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #7) > (In reply to Mark Banner (:standard8) from comment #4) > > We just haven't picked up signing yet for nightly or earlybird. Not sure > > when that's coming, but when it does this will be fixed automatically (I'll > > try and find some bug refs soon). > > Thomas, do you agree this is now resolved? Looking at comment 8, yes.
Flags: needinfo?(bugzilla2007)
Reporter | ||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•