\nto date. This, turns out, is not an easy feat and is full of
\ntricky details<\/a>.<\/p>\n
Code signing certificates are one such tricky detail, here we explain how
\nwe take care of them, and how an upcoming change might affect you.<\/p>\n
- \n
- What is a Code Signing Certificate?<\/a><\/li>\n
- How this might affect you<\/a>\n
- \n
- Authenticode and SmartScreen<\/a><\/li>\n
- Why is this important?<\/a><\/li>\n<\/ul>\n<\/li>\n
- Our mitigations and short-term plan<\/a><\/li>\n
- How you could help<\/a><\/li>\n
- Conclusion<\/a><\/li>\n<\/ul>\n<\/div>\n
What is a Code Signing Certificate?<\/h2>\n
\n
Note:<\/strong>
\nIf you are familiar with the concept, feel free to skip this section, and head
\nto How this might affect you<\/a>.<\/p>\nThe goal here is to introduce the topic in an accessible fashion.<\/p>\n<\/blockquote>\n
Microsoft and other vendors use Code Signing Certificates to ensure
\nauthenticity<\/strong> and integrity<\/strong> of the software you use.
\nThat is, this helps ensure that you are using software from Publishers you
\ntrust<\/strong> and that such software has not been modified before reaching you.<\/p>\nBut what are these Certificates really? Well, the way they work is that a
\nSoftware Publisher<\/strong> like Camilion<\/a> applies for a
\nCode Signing Certificate to a Certification Authority (CA<\/strong> for short);
\nthis process has a cost and the CA performs several checks on the company and
\nthe people people behind it.<\/p>\nWhen the Certification Authority (CA<\/strong>) approves the application, they issue
\nthe Code Signing Certificate,
\nwhich is composed of a public part and a private part which must be kept secret
\nat all costs.<\/p>\nSuch a certificate<\/a> might look like this on your computer:<\/p>\n
![\"Camilion](\"https:\/\/camilion.eu\/wp-content\/uploads\/2024\/02\/camilion2022cert.png\" "\\"\\"")
<\/p>\nNote that
Issued to<\/code> contains the name of our legal entity (we are anS.L.<\/code>, which is a Society with Limited Liability based in Barcelona) andIssued by<\/code> contains the name of a Code Signing Certification Authority<\/strong>.<\/p>\nThis is used by Windows and other software to establish a so-called Chain of
\nTrust<\/strong> (try it yourself<\/a>!):<\/p>\n![\"Camilion](\"https:\/\/camilion.eu\/wp-content\/uploads\/2024\/02\/camilion2022chain-1.png\" "\\"\\"")
<\/p>\nThat is, Windows trusts the top-most certificate (also called a Root CA) and,
\neach certificate signs (or trusts<\/em>) the next certificate down the chain,
\nuntil we reach ours.
\nIf such a Chain of Trust can be established, the “Certificate is OK<\/strong>” and will
\nbe trusted.<\/p>\nShould a publisher misuse their certificate, it will end up being revoked and
\nthey will have issues getting a new one in the future.<\/p>\nHow this might affect you<\/h2>\n
So far so good, we have our own, valid Code Signing Certificates<\/a>
\nthat are trusted by Windows.<\/p>\nAuthenticode and SmartScreen<\/h3>\n
At least in theory!
\nIn the case of Microsoft and, particularly Windows and Office products, on top
\nof the Chain of Trust there are a couple opaque systems called
\nAuthenticode<\/strong> and SmartScreen<\/strong>.<\/p>\nThey assign reputation<\/em> to a Certificate and\/or a Publisher and it is quite
\nunclear how this reputation is managed.<\/p>\nThe general consensus amongst publishers is that there is some magic usage count
\nand time period, after which these Microsoft-specific systems start trusting a
\nnew certificate.<\/p>\nWhy is this important?<\/h3>\n
The longest validity we can get for a Code Signing Certificate is 3 years<\/strong>,
\nwhich means changes are bound to happen.<\/p>\nFor example, our current Certificate<\/a> expires on March 11th 2022
\nand will not be valid after that.<\/p>\nWe already got a new Certificate<\/a>, but Authenticode and SmartScreen
\nmean that that a new Certificate will not immediately be trusted, but instead
\nits reputation<\/em> will be built up over time.<\/p>\n![\"Camilion](\"https:\/\/camilion.eu\/wp-content\/uploads\/2024\/02\/camilion2019cert.png\" "\\"\\"")
<\/p>\nOur mitigations and short-term plan<\/h2>\n
If you use our products already, our new certificate<\/a>, along with
\nthat of the intermediate Certification Authorities will be deployed in the next
\nfew days.
\nYou won’t have to do anything. Software like Autodesk\u00ae Revit\u00ae<\/strong> or
\nAutoCAD\u00ae<\/strong>, will trust<\/strong> our new certificate.<\/p>\nWe will be publishing a new version of our plugins signed by both our
\nold<\/a> and new certificates<\/a>, this will help establish
\nreputation on the new certificate and also it gives you an extra ease of mind
\nthat it is still us going forward.<\/p>\n![\"Double](\"https:\/\/camilion.eu\/wp-content\/uploads\/2024\/02\/doublesignature.png\" "\\"\\"")
<\/p>\nFor some of our software (notably: AttMan<\/a>), double signatures are
\nnot an option due to a limitation in the way their publishing works.<\/p>\nBut worry not, we are publishing a new version for all our software where we
\nmake sure that a Timestamp Server is used.
\nUsing a Timestamp Server ensures that at the time of the signature, the
\ncertificate was still valid.<\/p>\nThis means two things:<\/p>\n
- \n
- Software like AttMan<\/a> can still be used after March 11th 2022 because
\n the Timestamp makes the signature valid, even after the certificate expires.<\/li>\n- We will not be able to update Software like AttMan<\/a> until our new
\n certificate has enough reputation<\/em>.<\/li>\n<\/ul>\nHow you could help<\/h2>\n
We are publishing our installer in two flavours:<\/p>\n
- \n
- Doubly signed<\/a>, with the old<\/a> and the new certificate<\/a><\/li>\n
- Singly signed<\/a>, only with the new certificate<\/a><\/li>\n<\/ul>\n
They are exactly the same, except for the signatures.
\nBy downloading and executing the installer that is only signed with the new
\ncertificate here<\/a>, and telling SmartScreen that it is
\ntrustworthy (see also this post<\/a>) the time necessary to establish
\nreputation<\/em> for the new certificate will be shorter.<\/p>\nTrying to avoid any kind of issues for you, we contacted Microsoft.
\nIf you want, you can read their reply:<\/p>\n\n\n\u00abThe warning you experienced indicates that neither the application nor the signing certificate had established reputation with Microsoft Defender SmartScreen services at the time. We can confirm that setup-newcert.exe is clean and since it has an established reputation while attempting to download or run the application it should no longer show any warnings. The signing certificate (ea97faaed47eefd53989bcf692d1286b5a786302) is still in the process of establishing reputation. Once it does, all applications that are signed with that certificate should have a warn-free experience from the start. Thank you for contacting Microsoft.\u00bb\n<\/p><\/blockquote>\n<\/details>\n
Conclusion<\/h2>\n
We have been planning this migration for months now and hope it will affect you
\nas little as possible.<\/p>\nAs you can see it is not an easy topic and certainly not one you want to take
\ncare of, so why don’t you let us do that for you?<\/p>\nGet in touch with us and let us discuss your workflow automation, integrations
\nor customisations; we are here to help!<\/p>\n","protected":false},"excerpt":{"rendered":"There are many things that you get not to worry about when using our products
\nas opposed to rolling out your own.<\/p>\n - Singly signed<\/a>, only with the new certificate<\/a><\/li>\n<\/ul>\n
- We will not be able to update Software like AttMan<\/a> until our new
- Why is this important?<\/a><\/li>\n<\/ul>\n<\/li>\n
- How this might affect you<\/a>\n