Signed/Unsigned extensions?


#1

On the Extension Manager some extension have the word below them: “Signed” and others “Unsigned”. What that does mean?
Thank you.


#2

Signed extensions come from registered developers.

This is from the Sketchup Help Center :

“Starting with SketchUp 2016, registered extension developers can claim their software by signing it digitally. This signature says, “I made this,” but in a secure coded format. In other words, when an extension is signed, the extension file contains a signature file that is securely tied to the developer’s Extension Warehouse account. An extension may be unsigned if you installed it manually.”


#3

But I installed all the extensions from Warehouse extensions, not manually.
If to use them signed or unsigned doesn’t make any difference, then there
is not an issue here.


#4

If you have the extension policy set to unrestricted it makes no difference. But if you set it stricter or if Trimble ever does away with unrestricted (at one point they said that was the plan) then unsigned extensions will not load.


#5

I have read that before somewhere as well but what would this mean for people who just make in-house code for themselves? I update my tools very un-regularly. Some tools even are just a couple of lines. Having to sign them before I can use/debug them would be annoying.


#6

Also with a new version many developers are playing catchup - to make their code compatible and/or submit their RBZs to be re-signed.
If you trust the source, then running SketchUp in ‘unrestricted’ loading-policy is unlikely to be dangerous and unsigned and in house code will run without difficulty.
Trimble had this idea that users wanted the comfort of having ‘certified’ extensions.
Signing gives that impression, however they sign developer’s RBZs with no checks as to the code’s intentions - malicious or not - so it’s somewhat illusory.
A signed extension cannot be altered without it breaking the signed-hash, but if you get your RBZs from a reputable source like EWH, SketchUcation, Smustard or established developers sites, then the issue of it being signed is somewhat academic.
The big issue they have in ever removing the ‘unrestricted’ policy option is that it would preclude you from writing in-house plugins [unless you register as a developer and go through the rigmarole of submitting an RBZ for signing etc - even for minor code changes and perhaps even prevent you from using Ruby-snippets in the Ruby Console - a seriously retrograde step.
Of course that also has implications for the developers themselves, who will inevitably write many iterations of their code before it ever goes public !
It needs much more work and thought.
The hash process is not even 100% secure - it only works in >=v2016 - and IMHO a serious hacker with malicious intent could circumvent it…
However, if you get your RBZs from a trusted source or use in-house code you can rely on then, then what’s the risk ?


#7

TIG provided a very thorough answer. All I’ll add is that the whole signing idea was quite controversial right from the start.

Edit: After some reflection I’ll also add this:

I haven’t seen it stated officially anywhere, but I think that the signing and loading policy thing was driven by Trimble’s lawyers and insurance company in an attempt to limit Trimble’s liability, not by an actual incident or a request from SketchUp users (though if there was an actual incident it likely wouldn’t be reported publicly). SketchUp embeds a full Ruby interpreter, which means that an extension has ability to do anything a user-installed Ruby script can do, and that includes a lot of malicious mischief. By granting signing only to registered developers they provide a way (in theory at least) to track the mischief back to its source, and by providing a means to restrict what extensions can load they make it your decision to load unsigned ones from questionable sources.

It’s a sad sign of the times when unscrupulous people look for opportunities such as this to harm others and when the corporate world therefore feels the need to isolate itself from legal fallout. Inconvenience for many to protect against careless users and a few bad actors!