Mitigation Tool exe is not signed

We received an email about a security vulnerability in the Editor today (article here), and our team cannot update our current version of Unity at the moment. Following the instructions, we then tried to download the mitigation tool from this page, but the executable available there isn't signed (see screenshot below). Given that the instructions on that page tell us not to run the executable if it isn't signed, that seems like a mistake. I didn't know where I should report this, so I'm posting here. We're using Windows 10, on the most recent update.

 

That link is confusing as hell, I have updated to 2017.4.22 using Unity hub and pressed Check for updates but it says I'm on latest version. Does that mean I have a safe version?

 

Yeah, looks like that's the patched version for 2017 (it's number 5 in their list of patched versions).

 

Yes, but this text makes no sense.

"
If your version of the Unity Editor is one of the listed in the Patch Versions of the Vulnerabilities Detailssection above you can continue with the update installation as follows.

To install the update you can use the Unity Editor update checker available in the File menu Help -> Check for Updates."

Check for update does nothing since Im on the latest version (2017.4.22)

 

We are also seeing the tool as unsigned.

 

Thanks, Karl. I looked more closely at the file and it looks like you're right, I can see the signature, but Windows still thinks it is from an unknown publisher. Here are some screenshots of the properties. Hope they help!

 

@karl_jones The wording is still confusing in my opinion (at the time of writing this reply).

I still don't understand clearly, what do you mean by 'fix' here.

I suggest the following rephrasing/format:

"If you have the below listed versions, you need not take any further action on your part."
"If you have the below listed versions, you need to use the "check for updates" function from the Help menu in Unity or alternatively apply the mitigation tool"

I have 2018.3.0f2 version, and I didn't find it in the list above (which would have meant what?). I downloaded the beta version 2019.1.0b5 from the link on the front page, and not the page on which that list is listed (i.e. the securiy page). And I'm still not sure, if I need to do anything more on my part.

I personally find the naming scheme of Unity versions, very confusing. And the confusion today has caused even more clutter. That coupled with Unity's naming scheme for new features is also causing un-necessary confusion. Jargon, Jargon, Jargon, everywhere. And not to mention the 'invasive' analytics.

I might have to ditch Unity .. if this keeps up.

 

A little dissapointed in how this is being handled. The email from the Unity team at first glance looks like a phishing email: poor formatting, links that don't match the displayed text link. I didn't trust it until I started seeing things pop up on Reddit. Also would help to have more clear instructions on what specific version are affected and not affected. It's also not clear on if you have to download the patch, or can just upgrade through Unity Hub.

I understand the urgency but it only makes things worse when no one can understand how to fix it or if they are even affected.

 

I have multiple versions of Unity installed simultaneously, does this mitigation tool takes care of all of them? (I can't upgrade/patch)

 

From the FAQ:

 

Oh, missed that one. Thanks!