nhm signing cert expired

[SheepReaper]

osslsigncode verify -CAfile /etc/ssl/certs/ca-certificates.crt -in ./nhm_windows_3.1.0.11.exe
Current PE checksum   : 03B786AA
Calculated PE checksum: 03B786AA

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA1
Current message digest    : 742006C446A9980EE556A1D507F523C91D14BBDD
Calculated message digest : 742006C446A9980EE556A1D507F523C91D14BBDD

Signer's certificate:
        Signer #0:
                Subject: /jurisdictionC=SI/businessCategory=Private Organization/serialNumber=6633994000/C=SI/L=MARIBOR/O=H-BIT, d.o.o./OU=SI28401280/CN=H-BIT, d.o.o.
                Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
                Serial : 0632554C6EEC69C3EFA44F842175E710
                Certificate expiration date:
                        notBefore : Jan  7 00:00:00 2021 GMT
                        notAfter : Feb  6 23:59:59 2024 GMT

Number of certificates: 5
        Signer #0:
                Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
                Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
                Serial : 0E9B188EF9D02DE7EFDB50E20840185A
                Certificate expiration date:
                        notBefore : Aug  1 00:00:00 2022 GMT
                        notAfter : Nov  9 23:59:59 2031 GMT
        ------------------
        Signer #1:
                Subject: /jurisdictionC=SI/businessCategory=Private Organization/serialNumber=6633994000/C=SI/L=MARIBOR/O=H-BIT, d.o.o./OU=SI28401280/CN=H-BIT, d.o.o.
                Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
                Serial : 0632554C6EEC69C3EFA44F842175E710
                Certificate expiration date:
                        notBefore : Jan  7 00:00:00 2021 GMT
                        notAfter : Feb  6 23:59:59 2024 GMT
        ------------------
        Signer #2:
                Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
                Serial : 073637B724547CD847ACFD28662A5E5B
                Certificate expiration date:
                        notBefore : Mar 23 00:00:00 2022 GMT
                        notAfter : Mar 22 23:59:59 2037 GMT
        ------------------
        Signer #3:
                Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
                Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Serial : 03F1B4E15F3A82F1149678B3D7D8475C
                Certificate expiration date:
                        notBefore : Apr 18 12:00:00 2012 GMT
                        notAfter : Apr 18 12:00:00 2027 GMT
        ------------------
        Signer #4:
                Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2023
                Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Serial : 0544AFF3949D0839A6BFDB3F5FE56116
                Certificate expiration date:
                        notBefore : Jul 14 00:00:00 2023 GMT
                        notAfter : Oct 13 23:59:59 2034 GMT

Authenticated attributes:
        Message digest algorithm: SHA1
        Message digest: 0402492B093F975CC3A45C0884E7EF5998BA2265
        Signing time: N/A
        Microsoft Individual Code Signing purpose

The signature is timestamped: Mar  7 17:58:22 2024 GMT
Hash Algorithm: sha256
Timestamp Verified by:
                Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Serial : 0544AFF3949D0839A6BFDB3F5FE56116

CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /usr/lib/ssl/certs/ca-bundle.crt
CRL distribution point: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl

Error: no certificate found
Use the "-TSA-CAfile" option to add the Time-Stamp Authority certificates bundle to verify timestamp server.
806939BCF77F0000:error:1700006B:CMS routines:cms_get_enveloped_type:content type not enveloped data:../crypto/cms/cms_env.c:41:
806939BCF77F0000:error:80000002:system library:file_ctrl:No such file or directory:../crypto/bio/bss_file.c:297:calling fopen(/usr/lib/ssl/certs/ca-bundle.crt, r)
806939BCF77F0000:error:10080002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:300:
806939BCF77F0000:error:05880002:x509 certificate routines:X509_load_cert_file_ex:system lib:../crypto/x509/by_file.c:100:
Timestamp Server Signature verification: failed

PKCS7_verify error
806939BCF77F0000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:../crypto/pkcs7/pk7_smime.c:293:Verify error: certificate has expired
Signature verification: failed

Number of verified signatures: 1
Failed

it would appear:

Signer's certificate:
        Signer #0:
                Subject: /jurisdictionC=SI/businessCategory=Private Organization/serialNumber=6633994000/C=SI/L=MARIBOR/O=H-BIT, d.o.o./OU=SI28401280/CN=H-BIT, d.o.o.
                Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
                Serial : 0632554C6EEC69C3EFA44F842175E710
                Certificate expiration date:
                        notBefore : Jan  7 00:00:00 2021 GMT
                        notAfter : Feb  6 23:59:59 2024 GMT

Means the cert is expired and why defender is grabbing it under PUA