I installed the latest update, but my .dll and .exe files don't have the signature you posted (Firebit OU). The 'name of signer' is 'Rainmeter Team' and the timestamp is 'not available.'Came here for the same reason. I was wondering what the plan was to mitigate. I see you have code signing, which should mitigate the MITM attack.
I did a little digging and this is what I found. I am not an expert at rainmeter and this is the first time I have looked at the repo.
Looks like it gets the status file with http:
Ah, then it downloads anything within status.json. The SHA is also contained in that file, so a bady would only have to build and host their own status.json and rainmeter clients would get their malicious update.
I looked back 13 years and it been the same since then so this does not appear to me to be malicious coding on the rainmeter side.
I would humbly suggest retrieving the status file with https and adding a check for the signature of the signed executables before installing.
This is not a theoretical attack it is known to be happening in the wild. In the meantime I would recommend everyone disable the check for updates and ensure that their current rainmeter install is using signed code. (right click on the all of the .exe and .dll files within the rainmeter directory and ensure they are signed as below)
Thanks for your attention to this issue.
Rich
Also under 'digital signature information,' it says 'the certificate in the signature cannot be verified' and the signer information is also 'Rainmeter Team.' The certificate info indicates 'Windows does not have enough information to verify this certificate' and it says 'issued to: Rainmeter Team,' 'issued by: Rainmeter Team Root Certificate,' and 'Valid from 2/29/2024 to 2/26/2034.'
Can anyone confirm if that's all correct? It looks like all the files are from 8/8/24. I just installed this fix yesterday after the program prompted me and I checked the forum first.
EDIT: I downloaded the .exe file from the official site just to compare, but that one has a signature time stamp and verified certificate signed by 'SignPath Foundation.' I'm confused because when I clicked to update through the app, I got a prompt from Windows whether I wanted 'SignPath Foundation' Rainmeter to make changes (I figured that was the update package). Why are my 8/8/24 files signed by 'Rainmeter Team' instead? Was I not supposed to update via the application?
Thanks for any help!
Statistics: Posted by meloncake — Today, 12:15 am