"What's New?" is a series of blog posts covering recent changes to Comet in more detail. This article covers the latest changes in Comet Voyager over March 2023.
There were just three Comet software releases during March - two in the 23.3.x Voyager release series, plus one minor patch update 23.2.1 for our quarterly "Leda" release track.
We've landed a few large and exciting features this March:
S3 Object Lock
Comet 23.3.1 adds support for Object Lock on S3. This feature allows Comet to "lock" an object inside a S3-compatible bucket, preventing it from being deleted or modified for a fixed period of time.
This is a fantastic new capability for Comet and it is a key defense against ransomware. Comet generally requires the capability to add and delete files within your Storage location; deleting files is necessary for applying retention passes, updating index files, and coordinating locking across multiple devices. However, if malware is running on your PC and manages to intercept Comet's storage credentials, the malware would also be able to delete files, causing much wider havoc.
Comet uses S3 "Compliance Mode" to lock individual objects within the storage location. This ensures that there is no way for the object to be deleted for the specified time, not using Comet's storage credentials, nor even if your administrator S3 keys are leaked or exposed.
This feature is available for Amazon S3, Wasabi, IDrive (excluding Storage Template provisioning), and other S3-compatible providers including Minio-based providers. Please check with your S3-compatible provider's documentation to see if Object Lock is available.
Object Lock is an opt-in feature, both in Comet and with cloud storage providers. It also relies on S3 bucket versioning. These properties generally must be set when the S3 bucket is created for the first time. It is not generally possible to enable Object Lock on an existing S3 bucket. To use Object Lock with an existing S3-based Storage Vault, you would have to create a new S3 bucket with Object Lock enabled; migrate the data; and update Comet's Storage Vault settings to point to the updated bucket.
Comparison to Backblaze B2
Regular users of Comet may be aware of the existing "Hide files rather than deleting them" option for Backblaze B2. Backblaze B2 supports both a native API and also an S3-compatible layer over the native API. Comet Backup integrates with the native API, so the new S3 Object Lock feature is not available for use with Backblaze B2. However, the existing "Hide files instead of deleting them" option can be used to provide the same protection against ransomware.
Codesigning with Azure Key Vault
If you are customizing the branding of the Comet Backup desktop app, then we would recommend setting up codesigning certificates. Having a codesigning certificate means that installing Comet Backup proceeds more smoothly through Smartscreen and Antivirus popup warnings on Windows, and through Gatekeeper on macOS.
The Windows codesigning programme, "Authenticode", is currently in a period of disruption as new rules are being put in place. Owing to the high number of events where developer codesigning certificate files were leaked or lost, new requirements are being enforced from June 1st 2023 that newly issued codesigning certificates must no longer be stored as plain files on disk, but instead must be stored in a Hardware Security Module ("HSM") or equivalent isolated device. Comet has long supported Authenticode certificates using either certificate files ("PKCS #12"), or via plug-in HSM devices that are compatible with the "PKCS #11" standard.
There are two tiers of Authenticode available. The Extended Validation ("EV") service performs a deeper level of business-level and legal checks of the target organization before issuing the certificate. The extra vetting comes with a higher purchase cost, but it also results in a higher level of initial reputation for the resulting codesigned
.exe file. An EV certificate was always required to be stored on an HSM.
However, it's common to install Comet Server on a cloud VM or VPS, where plugging in a USB dongle or smartcard hardware device is not physically possible. This difficulty also discouraged many MSPs from using the higher-quality Extended Validation service. With the impending phaseout of the file-based method for newly issued certificates, neither existing option is suitable, so another option had to be found.
Comet 23.3.0 adds support for codesigning using Azure Key Vault. This is a cloud service from Microsoft to manage the secure provisioning of security keys and certificates, including for Authenticode codesigning. There are various services and pricing tiers available; in particular, it's possible to purchase a managed cloud HSM, which meets the new June 1st 2023 Authenticode requirements.
At the time of writing, we would recommend GlobalSign or TrustZone for issuing new Authenticode certificates. There is no carry-over reputation with Authenticode, so replacement certificates can be issued from any provider. These particular providers were prepared early for the new requirements and have a secure vetting process to prove your use of an HSM, such as an Azure Key Vault managed HSM, before issuing your certificate. The private key never leaves the managed cloud HSM device, and Comet Server only uses an Azure application ID to remotely perform the signing steps.
Comet Server can perform Authenticode codesigning for Windows, regardless of whether Comet Server is installed on a Windows or Linux host OS. This is achieved by using a cross-platform signing toolchain. To support the new Azure Key Vault feature, we replaced our existing bundled codesigning toolchain from osslsigncode with a new jsign version. Comet ships these third-party utilities as a courtesy in compliance with their redistribution license.
For most existing users of codesigning with a PKCS#12 file-based certificate on disk, there will be no noticeable difference and Comet will continue to work without any configuration changes. However, some users may experience breaking changes:
- The new
jsignprogram takes different parameters for hardware devices using the PKCS#11 standard, which could not be automatically converted. Users of hardware devices may need to revisit their settings.
- If Comet Server is installed on ARM64 Linux, the version of
jsigndistributed by Comet is not compatible with the
muslC runtime generally used for static binary distribution. A
glibc-based Linux distribution is now required to run the codesigning toolchain on ARM64 Linux. The issue does not apply to x86_64 Linux. We may be able to resolve this issue in a future version of Comet.
For more information, see the full Authenticode codesigning documentation.
New web interface features
Looking beyond these headline features, there have been many more improvements to Comet this month, particularly in the Comet Server web interface.
It's now possible to select custom snapshots for deletion from the web restore dialog. This builds upon last month's feature to add this in the Comet Backup desktop app. To use this feature, enable "Advanced Options" from the top-right user menu, and then click the new Actions button in the Restore wizard dialog.
You can now see an online device's software version, OS platform, and IP address directly on the User Detail page in the Comet Server web interface. This was a minor feature request on our Feature Voting page. To view these new columns, click the "View" button to configure which columns are displayed. Your custom column selection is preserved for this browser throughout multiple page views, but your custom column selection will be reset when a new version of Comet Server is released.
If your Comet Server is configured to show software downloads to logged-out users, the login screen has expanded the number of download options from three (Windows, macOS, and Linux) to four with the new Synology download button. This fixes a minor inconsistency with the web interface as this fourth platform should be shown in the same context as the other three platforms.
There have been many cosmetic improvements to the Comet Server web interface too, including better spacing and padding when configuring an Office 365 Protected Item or a Windows System Backup Protected Item. We regularly make small improvements like this, but this month, we've also been working on a much more major cosmetic change for the Comet Server web interface. We will be able to share more information about that soon.