[Solved] Issue with Unimus 2.5.1 Code Signing Certificate

[azizmoalim]

Hello,

Windows Defender/Smart Screen services detects an invalid code signing certificate on both the installer and portable version. Warning received on Windows 11 24H2, Windows Server 2019 & 2022.

Can you please update the code signing certificate for the 2.5.1 download as well as including hash values on the download page? I checked our previous Unimus installers and all had valid certificates.

Unimus 2.5.1 Installer.exe

SHA256: 419B09666BD62A8AC68891871E1E4422BA76AD3EB38810AD8B48302372F6E842

Screenshots attached.

Thanks!

[azizmoalim]

The 2.5.1 installer still contains an invalid certificate and Windows Smart Screen still does not recognize it as legitimate.

Support Case: 5168-839-932-54

[Tomas]

...
Can you please update the code signing certificate for the 2.5.1 download as well as including hash values on the download page? I checked our previous Unimus installers and all had valid certificates.
...
Thanks!

Hi. First of all apologies you ran into this issue, and for the late reply. I was at a conference and traveling for the last week and a half, only now catching up to this - the code-sign certificate is my responsibility, so this was waiting on my availability.

I have started the code-sign cert renew process. This will take a bit of time, as the extended validation process that code-sign certificates require usually takes at least a week. We will rebuild 2.5.1 with the new code-sign cert as soon as it's issued to us.

A few additional notes:
- We do publish hashes, latest hashes are always available at https://security.netcore.software/
- We actually validate each build if it's properly signed as a part of our CICD / build process. It's very strange why this was not caught on our end, I will check into our build process and automation as to why the builds were reported as successful and without issues.
- We will also look into a 2nd system that will independently validate the state of our code-signing cert (on top of the build process check), and notify us if it's expiring.

[azizmoalim]

...
Can you please update the code signing certificate for the 2.5.1 download as well as including hash values on the download page? I checked our previous Unimus installers and all had valid certificates.
...
Thanks!

Hi. First of all apologies you ran into this issue, and for the late reply. I was at a conference and traveling for the last week and a half, only now catching up to this - the code-sign certificate is my responsibility, so this was waiting on my availability.

I have started the code-sign cert renew process. This will take a bit of time, as the extended validation process that code-sign certificates require usually takes at least a week. We will rebuild 2.5.1 with the new code-sign cert as soon as it's issued to us.

A few additional notes:
- We do publish hashes, latest hashes are always available at https://security.netcore.software/
- We actually validate each build if it's properly signed as a part of our CICD / build process. It's very strange why this was not caught on our end, I will check into our build process and automation as to why the builds were reported as successful and without issues.
- We will also look into a 2nd system that will independently validate the state of our code-signing cert (on top of the build process check), and notify us if it's expiring.

Thank you, Tomas! Will 2.5.1 be republished soon?

[Tomas]

Thank you, Tomas! Will 2.5.1 be republished soon?

We are still waiting for the code signing certificate to be released to us. Code sign certs required EV (extended validation), and our issuer (I don't want to name names publicly, but you can figure it out looking at the cert) are taking their time.

We have submitted all the documents for the EV process, so not much we can do other than wait This is also blocking 2.6.0-Beta release (we have it ready to build), so we are also waiting eagerly for this.

[Tomas]

Just an update - we finally solved the code-signing issues, and 2.6.0 was just released (viewtopic.php?f=3&t=1950) and is properly signed. We also found why our validation checks were failing, and fixed those to properly detect and prevent this in the future.

We will also re-release 2.5.1 with a proper signature so the release history binaries work properly.

[azizmoalim]

Just an update - we finally solved the code-signing issues, and 2.6.0 was just released (viewtopic.php?f=3&t=1950) and is properly signed. We also found why our validation checks were failing, and fixed those to properly detect and prevent this in the future.

We will also re-release 2.5.1 with a proper signature so the release history binaries work properly.

Hey Tomas,

It seems Microsoft Defender SmartScreen Services does not trust the EV certificate used and provides a warning. The code signing certificate itself is valid, but I did not bother verifying if it was actual EV certificate or not.

Screenshots attached.

[Tomas]

It seems Microsoft Defender SmartScreen Services does not trust the EV certificate used and provides a warning. The code signing certificate itself is valid, but I did not bother verifying if it was actual EV certificate or not.

Very interesting. Perhaps this is because this is a new certificate and this was the first binary signed by it. I would speculate it will take a bit for Defender to learn to trust it.

Will monitor the situation.