pia_openvpn_client not code signed.

jprokosjprokos
in Software and System Updates

On a Mac running PIA VPN client I get this warning from Little Snitch. "pia_openvpn_client wants to connect to 172.98.67.28. The process has no code signature. The executable can be maliciously modified without being detected."

While other parts of the PIA VPN client are code signed (nwjs) this executable is not. Why? Why not sign it?

Comments

  • p6924320p6924320
    Same issue on PIA client v. 65 / Mac OS 10.11.6.
  • mackmack
    my little snitch is doing the same with V.66 on Mac OS 10.11.6
  • captainzapcaptainzap
    Here is a more detailed description from Little Snitch:

    pia_openvpn_client wants to connect to 104.200.153.97

    The process has no code signature. The executable can be maliciously modified without being detected. The matching rule is therefore not being applied.

    A matching rule exists that requires a valid code signature by an unknown developer, but the process has no valid code signature. This could mean that the application was possibly maliciously modified. The matching rule is therefore not being applied.

    To allow connections by this process anyway, all existing rules for “pia_openvpn_client” can be modified to ignore any code signature. This makes these rules less secure, though.

    Allowing "no code signature" returns:

    ! This will modify all existing rules for "pia_openvpn_client" to not require any code signature anymore. (buttons: Cancel - Modify Existing Rules)

    Is the company ignoring this?

  • jbisjbis
    edited August 2017
    I asked support about this once. The answer I got was : Its never been signed and can't be because its open-source and the license doesn't permit PIA's rendition and use of it to be signed.
  • [Deleted User][Deleted User]
    Hi all,

    We're definitely not ignoring this! We're currently working to get our drivers signed, but it's a lengthy process that involves coordination with quite a few third parties. In the meantime, you can ensure that your application is genuine by verifying the checksums, which are posted here on our downloads page
  • captainzapcaptainzap
    They have been "working on this" for months now. It seems rather suspicious.  This thread goes into detail:

    https://www.privateinternetaccess.com/forum/discussion/18531/pia-code-not-signed-installer-win-exe-v-47?

    I am left wondering if there is something wrong with their code.
    This is a question of ignorance and hypothetical so take it for what it is worth:

    If their code made our connections not actually private but accessible and monitorable by a third party, say for example a government agency or marketing company or someone else interested in our data, would obtaining a code signature reveal this?
    In other words could duplicity be revealed by the code signing process?

    I am still getting the same alerts from Little Snitch. Half the time their software will not even start (Mac OS X 10.13.4). Click on the app, and nothing happens. I have been a loyal customer for years but this is too flakey.

    I am thinking of going back to Mullvad over this. It is pretty good, flexible software, and not too expensive.
Sign In or Register to comment.