3,085 questions
IdentTrust is selling EV code signing certificates that are being blocked by Edge/Smartscreen. Is IdenTrust legit?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 3%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Jeff Lill
16
Reputation points
I purchased an EV code signing certificate from IdenTrust a couple months ago and code I've signed with this is being blocked by Microsoft Edge and Smartscreen.
I've submitted my file to the Microsoft malware scanner to verify that I'm not being blocked due to some fault with my file. The scan passed without a problem:
https://www.microsoft.com/en-us/wdsi/filesubmission
I see that another company reported the same problem back in Feb 2022 and the indication was that IdenTrust's TrustID CA 4 certificate is not valid and thus code files signed with this certificate will not be recognized as EV certificate recognized by Microsoft. Crypt32 (a MSFT MVP) says that "it seems the problem is with the issuer of your EV signing certificate (not with your signature or tool)":
https://learn.microsoft.com/en-us/answers/questions/740378/defender-smart-screen-blocking-valid-ev-code-certi.html
https://learn.microsoft.com/en-us/answers/questions/799594/identrust-ev-certificate-roots-not-loaded-by-micro.html
IdenTrust is still selling EV certificates, apparently without these being trusted by Microsoft which seems super sketchy, and potentially fraudulent (especially for a company whose whole purpose is trust).
I've addressed this with IdenTrust customer support and they've acknowledged that Microsoft does not recognize their code signing certificate authority and that they have no idea if or when this might happen.Even after stating this, they refusing to issue a refund due to a "strict refund policy".
To summarize: an EV Code Signing Certificate purchased from IdenTrust today or perhaps from several months ago is probably no better on Microsoft platforms than a self-signed certificate I could create myself for free.
I have a few specific questions:
- Is IdenTrust actually recognized by Microsoft as an EV Code Signing Certificate provider?
- Is the IdenTrust TrustID EV CA 4 or any other IdenTrust code signing certificate currently recognized by Microsoft Edge, Smartscreen or any other MSFT screening technologies?
- Does Microsoft condone companies or people selling EV Code Signing Certificates that are not recognized by Microsoft technologies?
I see that Microsoft is indicating that IdenTrust is root SSL CA here:
https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT
https://learn.microsoft.com/en-us/microsoft-365/compliance/encryption-office-365-certificate-chains?view=o365-worldwide
...and Microsoft is also indicating that IdenTrust is a valid certificate authority for code signing here:
https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-cert-manage
Given that IdenTrust appears to be currently selling code signing certificates that are not actually trusted by Microsoft, I recommend that Microsoft remove these references to IdenTrust from their website and open an investigation into this behavior, if an investigation isn't already in progress.
As we all know, computer security is extremely important these days and having a presumably key player selling a trust related product that they know doesn't work is not very trust inspiring.
--Jeff
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
{count} votes
-
Jeff Lill 16 Reputation points
2022-07-01T20:01:09.043+00:00 FYI: This seems like a potentially serious compliance issue, so I've gone ahead and submitted to Microsoft Legal's compliance team.
-
Jeff Lill 16 Reputation points
2022-07-01T23:07:00.473+00:00 FYI: I've forwarded the link to this question to IdenTrust so they can have a chance to respond in public.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 75%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFT%3C/text%3E%3C/svg%3E)
Filippo Tortomasi 0 Reputation points2023-08-23T15:25:07.5+00:00 Hello, did you get any answer back from them?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 74%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Jeff Lill - LillTek 0 Reputation points2023-08-23T15:30:35.3933333+00:00 IdentTrust ended up giving me a refund. I presume that they’re trusted again by Microsoft SmartScreen by now.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 3%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
SK Dutta 5 Reputation points2023-09-12T17:52:19.5866667+00:00 I am having the same issue with the new certificate I received from them. I have contacted identrust support department and will report my findings here.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESO%3C/text%3E%3C/svg%3E)
Someone on the Internet 0 Reputation points2023-10-17T16:25:22.4666667+00:00 I am having the same issue. IdenTrust support was completely useless blatantly stating the issue was on my end and unable to offer any support whatsoever. SK Dutta, what was your outcome?
Sign in to comment
Sign in to answer