Page 1 of 1
[Solved] Issue with Unimus 2.5.1 Code Signing Certificate
Posted: Mon Oct 14, 2024 7:15 pm
by azizmoalim
Hello,
Windows Defender/Smart Screen services detects an invalid code signing certificate on both the installer and portable version. Warning received on Windows 11 24H2, Windows Server 2019 & 2022.
Can you please update the code signing certificate for the 2.5.1 download as well as including hash values on the download page? I checked our previous Unimus installers and all had valid certificates.
Unimus 2.5.1 Installer.exe
SHA256: 419B09666BD62A8AC68891871E1E4422BA76AD3EB38810AD8B48302372F6E842
Screenshots attached.
Thanks!
Re: Issue with Unimus 2.5.1 Code Signing Certificate
Posted: Fri Oct 18, 2024 7:09 pm
by azizmoalim
The 2.5.1 installer still contains an invalid certificate and Windows Smart Screen still does not recognize it as legitimate.
Support Case: 5168-839-932-54
Re: Issue with Unimus 2.5.1 Code Signing Certificate
Posted: Mon Nov 04, 2024 10:43 pm
by Tomas
azizmoalim wrote: ↑Mon Oct 14, 2024 7:15 pm
...
Can you please update the code signing certificate for the 2.5.1 download as well as including hash values on the download page? I checked our previous Unimus installers and all had valid certificates.
...
Thanks!
Hi. First of all apologies you ran into this issue, and for the late reply. I was at a conference and traveling for the last week and a half, only now catching up to this - the code-sign certificate is my responsibility, so this was waiting on my availability.
I have started the code-sign cert renew process. This will take a bit of time, as the extended validation process that code-sign certificates require usually takes at least a week. We will rebuild 2.5.1 with the new code-sign cert as soon as it's issued to us.
A few additional notes:
- We do publish hashes, latest hashes are always available at
https://security.netcore.software/
- We actually validate each build if it's properly signed as a part of our CICD / build process. It's very strange why this was not caught on our end, I will check into our build process and automation as to why the builds were reported as successful and without issues.
- We will also look into a 2nd system that will independently validate the state of our code-signing cert (on top of the build process check), and notify us if it's expiring.
Re: Issue with Unimus 2.5.1 Code Signing Certificate
Posted: Thu Nov 14, 2024 9:39 pm
by azizmoalim
Tomas wrote: ↑Mon Nov 04, 2024 10:43 pm
azizmoalim wrote: ↑Mon Oct 14, 2024 7:15 pm
...
Can you please update the code signing certificate for the 2.5.1 download as well as including hash values on the download page? I checked our previous Unimus installers and all had valid certificates.
...
Thanks!
Hi. First of all apologies you ran into this issue, and for the late reply. I was at a conference and traveling for the last week and a half, only now catching up to this - the code-sign certificate is my responsibility, so this was waiting on my availability.
I have started the code-sign cert renew process. This will take a bit of time, as the extended validation process that code-sign certificates require usually takes at least a week. We will rebuild 2.5.1 with the new code-sign cert as soon as it's issued to us.
A few additional notes:
- We do publish hashes, latest hashes are always available at
https://security.netcore.software/
- We actually validate each build if it's properly signed as a part of our CICD / build process. It's very strange why this was not caught on our end, I will check into our build process and automation as to why the builds were reported as successful and without issues.
- We will also look into a 2nd system that will independently validate the state of our code-signing cert (on top of the build process check), and notify us if it's expiring.
Thank you, Tomas! Will 2.5.1 be republished soon?
Re: Issue with Unimus 2.5.1 Code Signing Certificate
Posted: Thu Nov 14, 2024 10:07 pm
by Tomas
azizmoalim wrote: ↑Thu Nov 14, 2024 9:39 pm
Thank you, Tomas! Will 2.5.1 be republished soon?
We are still waiting for the code signing certificate to be released to us. Code sign certs required EV (extended validation), and our issuer (I don't want to name names publicly, but you can figure it out looking at the cert) are taking their time.
We have submitted all the documents for the EV process, so not much we can do other than wait
This is also blocking 2.6.0-Beta release (we have it ready to build), so we are also waiting eagerly for this.
Re: [Solved] Issue with Unimus 2.5.1 Code Signing Certificate
Posted: Wed Dec 18, 2024 9:12 pm
by Tomas
Just an update - we finally solved the code-signing issues, and 2.6.0 was just released (
viewtopic.php?f=3&t=1950) and is properly signed. We also found why our validation checks were failing, and fixed those to properly detect and prevent this in the future.
We will also re-release 2.5.1 with a proper signature so the release history binaries work properly.
Re: [Solved] Issue with Unimus 2.5.1 Code Signing Certificate
Posted: Fri Dec 20, 2024 1:22 am
by azizmoalim
Tomas wrote: ↑Wed Dec 18, 2024 9:12 pm
Just an update - we finally solved the code-signing issues, and 2.6.0 was just released (
viewtopic.php?f=3&t=1950) and is properly signed. We also found why our validation checks were failing, and fixed those to properly detect and prevent this in the future.
We will also re-release 2.5.1 with a proper signature so the release history binaries work properly.
Hey Tomas,
It seems Microsoft Defender SmartScreen Services does not trust the EV certificate used and provides a warning. The code signing certificate itself is valid, but I did not bother verifying if it was actual EV certificate or not.
Screenshots attached.
Re: [Solved] Issue with Unimus 2.5.1 Code Signing Certificate
Posted: Fri Dec 20, 2024 1:28 am
by Tomas
azizmoalim wrote: ↑Fri Dec 20, 2024 1:22 am
It seems Microsoft Defender SmartScreen Services does not trust the EV certificate used and provides a warning. The code signing certificate itself is valid, but I did not bother verifying if it was actual EV certificate or not.
Very interesting. Perhaps this is because this is a new certificate and this was the first binary signed by it. I would speculate it will take a bit for Defender to learn to trust it.
Will monitor the situation.