FileConverter icon indicating copy to clipboard operation
FileConverter copied to clipboard

Published 20 hours ago verified publisher icon Tichau

Security Issue - Expired Publisher Certificate

Open isaiahdaviscom opened this issue 1 year ago • 8 comments

Certificate has lapsed and is showing 2017

isaiahdaviscom avatar Jan 08 '23 21:01 isaiahdaviscom

Are you talking about the code signing certificate for the EXE? If so, it's okay if the certificate expires, as that only applies to the time at which the EXE was signed (timestamp of signing was also 2017). If they were to update the EXE and sign it with the old certificate, that could be an issue, though. Probably good to bring up so if/when they release an update they'll know to update the code signing cert.

It looks like they haven't had a release since 2017, though, so I'm not sure what's going on. 😊

asheroto avatar Jun 06 '23 17:06 asheroto

This is one of the reason why there is no release since 2017 even if there still are some fixes on the repo. I'm planning to get another certificate this year.

Tichau avatar Jan 19 '24 18:01 Tichau

Sounds good, thank you! FYI company has partnerships with Sectigo and DigiCert and can get them at a discount depending on how many years and the type of certificate. No pressure at all, but if interested let me know. Generally can save $50+ per year depending. It's still issued from those companies.

asheroto avatar Jan 23 '24 21:01 asheroto

Thanks a lot, last time I bought it from this company that make a special offer for open source developper. It seems their price are even lower than last time: https://shop.certum.eu/open-source-code-signing-code.html

Tichau avatar Jan 28 '24 17:01 Tichau

Oh wow! Ya can't beat 25! Thanks for sharing.

asheroto avatar Jan 28 '24 18:01 asheroto

Even with a newly acquired certificate, I still get a big red warning when I try to install the program (from smart screen). Do anyone know how to to have these ?

Tichau avatar Mar 07 '24 18:03 Tichau

So Microsoft SmartScreen is a reputation-based system to help protect against unknown or less-commonly downloaded programs. The way to resolve this for publishers is to either:

  1. Get an extended validation certificate (which is stupid expensive, even compared to a standard validation one)
  2. Report it to Microsoft SmartScreen as a false positive

Short answer: Report false positive SmartScreen info Once more people download it, and once Microsoft classifies it as a false positive, the warning will go away. Home users, business users, or the software developer can report false positives.

This is common in software that has certain characteristics that mimic questionable software. In one of the programs I work on, it seems to be a common problem with new releases. But after reporting several new releases to Microsoft as false positives, now new releases are no longer classified with concern.

asheroto avatar Mar 07 '24 19:03 asheroto

Thank you for the knowledge, I'll report it as false positive, if other people can do that it'll be awesome. As soon as this warning is of i'll activate to auto upgrade for everyone.

Tichau avatar Mar 08 '24 16:03 Tichau