How to avoid Unknown publisher message with EV code signing certificate with electron app

Lou Chancrin 1 Reputation point

My company bought an EV code signing certificate from Sectigo to sign our applications so that users won't have a warning popup from Windows defender.

We are doing desktop applications with electron with a backend in python using FastAPI but when we launch the application for the first time we have a security alert saying that the backend has been blocked on private and public networks. I tried to contact our certificate provider but they were unable to help me.

Simply put, my problem is that I manage to sign my application (when I look at properties I can see the digital signature), I sign the backend then package the application and sign the packaged application but I still have a security error blocking my backend and the publisher is Unknown in the error message.

I sign my application/backend with the command : signtool sign /sha1 certificate_thumbprint /tr /td sha256 /fd sha256 /n "company_name" "C:\path\to\fileToSign.exe"

Is there something I am doing wrong ?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,221 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,698 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,196 Reputation points

    Hello @Lou Chancrin

    It seems from your command that your certificate is SHA-1, but Microsoft adopted only SHA-2 since May 2021:

    I would suggest talking to your certificate provider, in many cases the provider may reissue the certificate to meet the current requirements.

    Hope this helps with your query,

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Lou Chancrin 1 Reputation point

    Hi @Limitless Technology ,

    I've been contacting my certificate provider and they confirmed that it was a SHA-2 certificate.

    Can the issue be caused by electron since I am signing my applications with signtool (as recommended by the certificate provider) and not electron-forge ?

    0 comments No comments