How to avoid Unknown publisher message with EV code signing certificate with electron app

Question

My company bought an EV code signing certificate from Sectigo to sign our applications so that users won't have a warning popup from Windows defender.

We are doing desktop applications with electron with a backend in python using FastAPI but when we launch the application for the first time we have a security alert saying that the backend has been blocked on private and public networks. I tried to contact our certificate provider but they were unable to help me.

Simply put, my problem is that I manage to sign my application (when I look at properties I can see the digital signature), I sign the backend then package the application and sign the packaged application but I still have a security error blocking my backend and the publisher is Unknown in the error message.

I sign my application/backend with the command : signtool sign /sha1 certificate_thumbprint /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "company_name" "C:\path\to\fileToSign.exe"

Is there something I am doing wrong ?

Answer 1

Hello @Lou Chancrin

It seems from your command that your certificate is SHA-1, but Microsoft adopted only SHA-2 since May 2021:https://techcommunity.microsoft.com/t5/windows-it-pro-blog/microsoft-to-use-sha-2-exclusively-starting-may-9-2021/ba-p/2261924

I would suggest talking to your certificate provider, in many cases the provider may reissue the certificate to meet the current requirements.

Hope this helps with your query,

-------
--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hi @Limitless Technology ,

I've been contacting my certificate provider and they confirmed that it was a SHA-2 certificate.

Can the issue be caused by electron since I am signing my applications with signtool (as recommended by the certificate provider) and not electron-forge ?