Microsoft has terminated an account associated with VeraCrypt, a popular and long-running piece of encryption software, throwing future Windows updates of the tool into doubt, VeraCrypt’s developer told 404 Media.
“Regarding VeraCrypt, I cannot publish Windows updates. Linux and macOS updates can still be done but Windows is the platform used by the majority of users and so the inability to deliver Windows releases is a major blow to the project,” he continued. “Currently I’m out of options.”
According to a post on Hacker News, the popular VPN client WireGuard is facing the same issue. “No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended,” Jason Donenfeld, the creator of WireGuard, wrote.
I have encountered some challenges but the most serious one is that Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader. You can see below a screenshot of the message shown when I tried to sign in. - MOUNIR IDRASSI (VeraCrypt Developer)
I don’t fully understand how VeraCrypt depends on MS for the release of their app on Windows. Can someone explain like I’m 5.
Either way, this is extremely alarming. We should be able to easily install any apps we want on our devices. I hope Louis Rossmann covers this.
ok…maybe think of it like this…VeraCrypt makes a small helper (the bootloader and drivers) that must run before Windows. Microsoft acts like a guardian who only lets helpers run if they have a special badge (a digital signature). VeraCrypt asks Microsoft for that badge so Windows will trust and run its helper. Without the badge, Windows blocks the helper and VeraCrypt can’t work properly.
A signed driver verifies it’s legit and made by who it says it is. Microsoft is one of few that can give it the okay since they have a private key to sign drivers to run on Windows. If you dont get the signature from Microsoft, you aren’t allowed to run the driver (in most cases, unless you disable driver signature enforcement). As of Windows 11 it must go through Microsoft which is why it’s an issue.
Feel free to correct me if im wrong since I’m still learning about signatures atm.
Developers need to sign their software with a key certified by Microsoft, to ensure the software actually present on users’ computers is actually what the developer wrote, and not some maliciously tampered version. For that, developers need to register at Microsoft to get the key.
I find WireGuard situation more concerning. In my understanding, WireGuard is what used under the hood by many VPN providers. Killing it may impact whole pack of VPN providers. ProtonVPN nowadays no more supports OpenVPN, only WireGuard and their own Stealth protocols are supported. So that’s could be huge for Proton.
According to a tweet from EdgeSecurity WireGuard issue is driver signing and it was caused by new identity verification policy (and no notification regarding this matter from Microsoft). Sounds like situation with Android, when only apps from verified developers are allowed.
Does this mean that before Windows 11, app developers didn’t need MS’ permission to create apps that run on their platform?
There is a whole bunch of stuff and it evolved with time, not like Windows 11 made a revolution.
When SecureBoot is enabled UEFI will check whether your operating system bootloader is signed. Aka that it’s a valid bootloader for your system and not a possibly malicious one. It happened that default certificated in UEFI is Microsoft’s one. The bootloader signing affects both Windows and Linux. I believe that most of the Linux bootloaders now use small program called “shim” that is signed by Microsoft and passes UEFI check, then simply redirects loading process to an actual bootloader (e.g. GRUB2). I also believe that it is possible to install own certificate into UEFI and use it for Linux bootloader.
At some point of history Microsoft started to care about security a bit more. That’s when they started to enforce driver signing. Which makes sense - you don’t want the driver that runs in kernel to be a malicious app.
There is app signing. It has few use cases. It confirms that app developer is not a nobody and app deserves a bit of trust. Windows will bother you a bit less with SmartScreen (tho, you’ll still get it for just downloaded apps). UAC window will be less alarming (light blue rather than yellow, there will ba actual publisher stated in the windows (instead of Unknown)). In my experience - it reduces number of false positives antivirus-es give you on your app (sometimes AV marks trustworthy apps as malicious by mistake - false positive). Signed software has some use for system administration - you can apply Software Restriction Policies to allow or deny running apps signed by the specific signer.
I believe apps in Microsoft Store shall be signed as well.
I’m not sure how it is nowadays, but I believe that drivers and Windows Store apps are signed by Microsoft, standalone apps are signed by certificate you purchased from a certificate authority. Bootloaders should be signed by Microsoft (as Microsoft’s certificate the one stored in UEFI). Standalone apps could be signed by your own certificate. And in this case user has to install that certificate beforehand, or to live with “untrusted” app (you can install app regardless). It’s a rather bad practice to install third party certificates.
In Linux repos are usually signed. Apps installation packages (like .dep, .rpm) could also be signed with GPG. So signing is not something Windows specific. It also applies to Android and apps for Apple devices.
