Ensure all DLLs are signed in releases

Feature name

  • Sign all DLLs as part of release

Feature function

  • Currently, there are DLLs in the full client of Bitwarden which are not signed
  • In corporate environments, app control software often requires DLLs to be either individually allowlisted by hash, or to be signed
  • Signing all DLLs would propagate trust in the DLLs, and reduce overhead for taking updates (encouraging end users to take updates as they are released) by allowing administrators to automatically allow the update if the DLL is signed by a trusted authority
  • This should be minimal overall effort, while providing ease of updating.

Editing to add the specific included DLLs that are not signed today

  • ffmpeg.dll
  • libglesv2.dll
  • vk-swiftshader.dll

A year later, this is still coming up regularly. Every update, I have to work with IT to allow the specific unsigned DLLs, which they have to individually allowlist by hash each time.

While using application Control via digital signing/allow listing DLLs is a bit extreme, in todays world of Ransomware events, it is not really even overreacting.

From my latest install, the files that had to be allowlisted due to being unsigned are:

Any help you can provide in getting the DLLs distributed with Bitwarden signed, so that this is no longer needed would be appreciated.