Question: Why cross-signing the user-cert ?

[powellnorma]

In the Readme it says:

The certificate that is left in the user store is cross-signed with the one that goes into the system store. This allows apps that don't trust user certificates to still accept AdGuard's certificate, while apps that do trust user certificates (like Chrome or other browsers) will construct a shorter validation path to the certificate stored in the user store.

But afaik not cross-signing the CA would work as well, because by definition a "trusted CA" is a "trusted root" (of a validation chain), or isn't it? Does it have any other advantages to do this cross signing? Thank you!

[sfionov]

@powellnorma We simply implemented the first scheme that worked without Zygisk.

Signing in different order (User CA -> System CA -> Leaf) might also work. But since module is very simple, we need to decide which of this two CAs is moved to system store. We decided to move the same cert which was touched in previous versions (Adguard Personal CA).

[powellnorma]

Ok, but what about this? System CA -> Leaf User CA -> Leaf

Or have you not tested this? I think it should work?

[sfionov]

"System CA" and "User CA" is required to be be different certs.

That needs to use two certificate caches, and info about which applications sees user certs, and which does not. That requires scanning of application manifests. A lot of unnecessary work should be done.

Two-cert scheme with intermediate cert installed into user store does not require it.