Join GitHub today
Investigate skipping the step of adding Insecure.Com EV cert to Windows trust store in some cases #1822
Right now we sign Npcap release installers with our extended validation (EV) codesigning certificate, which we also use to sign the drivers. Since the Insecure.Com (formal Nmap Project company name) is of course not trusted by Windows by default, it pops up a warning asking the user whether to trust it and install the software. Assuming the user asks to do this, we load the certs into the trust store before installing the driver to prevent this scary warning from happening again. One down side we've seen is that users with certain monitoring apps create alert when an already-expired cert is loaded into the trust store. It is still legitimate to do so since codesigning certs only need to be used for SIGNING during their validity dates. It's OK for software to check the signature later. However, we might be able to remove the cert-loading step on Windows 10 since we now use Microsoft attestation-signing. Since we have a valid attestation-signature, users don't get the driver install warning anyway. Removing this step might also make the software install finish more quickly. We don't use attestation-signing for Windows 8 and older because those systems don't support it, so we might want to still keep the trust store load for those.