Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate skipping the step of adding Insecure.Com EV cert to Windows trust store in some cases #1822

Open
fyodor opened this issue Nov 12, 2019 · 1 comment

Comments

@fyodor
Copy link

@fyodor fyodor commented Nov 12, 2019

Right now we sign Npcap release installers with our extended validation (EV) codesigning certificate, which we also use to sign the drivers. Since the Insecure.Com (formal Nmap Project company name) is of course not trusted by Windows by default, it pops up a warning asking the user whether to trust it and install the software. Assuming the user asks to do this, we load the certs into the trust store before installing the driver to prevent this scary warning from happening again. One down side we've seen is that users with certain monitoring apps create alert when an already-expired cert is loaded into the trust store. It is still legitimate to do so since codesigning certs only need to be used for SIGNING during their validity dates. It's OK for software to check the signature later. However, we might be able to remove the cert-loading step on Windows 10 since we now use Microsoft attestation-signing. Since we have a valid attestation-signature, users don't get the driver install warning anyway. Removing this step might also make the software install finish more quickly. We don't use attestation-signing for Windows 8 and older because those systems don't support it, so we might want to still keep the trust store load for those.

@desowin

This comment has been minimized.

Copy link

@desowin desowin commented Dec 4, 2019

It is still legitimate to do so since codesigning certs only need to be used for SIGNING during their validity dates.

As long as you use trusted timestamp server. If you forget to use timestamping server, the signature will expire together with certificate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.