How to avoid Unknown publisher message with EV code signing certificate with electron app

Lou Chancrin 1 Reputation point
2021-11-29T11:59:57.56+00:00

My company bought an EV code signing certificate from Sectigo to sign our applications so that users won't have a warning popup from Windows defender.

We are doing desktop applications with electron with a backend in python using FastAPI but when we launch the application for the first time we have a security alert saying that the backend has been blocked on private and public networks. I tried to contact our certificate provider but they were unable to help me.

Simply put, my problem is that I manage to sign my application (when I look at properties I can see the digital signature), I sign the backend then package the application and sign the packaged application but I still have a security error blocking my backend and the publisher is Unknown in the error message.

I sign my application/backend with the command : signtool sign /sha1 certificate_thumbprint /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "company_name" "C:\path\to\fileToSign.exe"

Is there something I am doing wrong ?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,145 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
6,029 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 37,351 Reputation points
    2021-11-29T20:33:44.537+00:00

    Hello @Lou Chancrin

    It seems from your command that your certificate is SHA-1, but Microsoft adopted only SHA-2 since May 2021:https://techcommunity.microsoft.com/t5/windows-it-pro-blog/microsoft-to-use-sha-2-exclusively-starting-may-9-2021/ba-p/2261924

    I would suggest talking to your certificate provider, in many cases the provider may reissue the certificate to meet the current requirements.

    Hope this helps with your query,

    -------
    --If the reply is helpful, please Upvote and Accept as answer--

    No comments

  2. Lou Chancrin 1 Reputation point
    2021-12-09T12:23:20.997+00:00

    Hi @Limitless Technology ,

    I've been contacting my certificate provider and they confirmed that it was a SHA-2 certificate.

    Can the issue be caused by electron since I am signing my applications with signtool (as recommended by the certificate provider) and not electron-forge ?

    No comments