Security Issue - Expired Publisher Certificate

Tichau / FileConverter

File Converter is a very simple tool which allows you to convert and compress files using the context menu in windows explorer.

https://file-converter.io/

GNU General Public License v3.0

6.03k stars 488 forks source link

Security Issue - Expired Publisher Certificate #302

Open isaiahdaviscom opened 1 year ago

isaiahdaviscom commented 1 year ago

Certificate has lapsed and is showing 2017

asheroto commented 1 year ago

Are you talking about the code signing certificate for the EXE? If so, it's okay if the certificate expires, as that only applies to the time at which the EXE was signed (timestamp of signing was also 2017). If they were to update the EXE and sign it with the old certificate, that could be an issue, though. Probably good to bring up so if/when they release an update they'll know to update the code signing cert.

It looks like they haven't had a release since 2017, though, so I'm not sure what's going on. 😊

Tichau commented 5 months ago

This is one of the reason why there is no release since 2017 even if there still are some fixes on the repo. I'm planning to get another certificate this year.

asheroto commented 5 months ago

Sounds good, thank you! FYI company has partnerships with Sectigo and DigiCert and can get them at a discount depending on how many years and the type of certificate. No pressure at all, but if interested let me know. Generally can save $50+ per year depending. It's still issued from those companies.

Tichau commented 5 months ago

Thanks a lot, last time I bought it from this company that make a special offer for open source developper. It seems their price are even lower than last time: https://shop.certum.eu/open-source-code-signing-code.html

asheroto commented 5 months ago

Oh wow! Ya can't beat 25! Thanks for sharing.

Tichau commented 4 months ago

Even with a newly acquired certificate, I still get a big red warning when I try to install the program (from smart screen). Do anyone know how to to have these ?

asheroto commented 4 months ago

So Microsoft SmartScreen is a reputation-based system to help protect against unknown or less-commonly downloaded programs. The way to resolve this for publishers is to either:

Get an extended validation certificate (which is stupid expensive, even compared to a standard validation one)
Report it to Microsoft SmartScreen as a false positive

Short answer: Report false positive SmartScreen info Once more people download it, and once Microsoft classifies it as a false positive, the warning will go away. Home users, business users, or the software developer can report false positives.

This is common in software that has certain characteristics that mimic questionable software. In one of the programs I work on, it seems to be a common problem with new releases. But after reporting several new releases to Microsoft as false positives, now new releases are no longer classified with concern.

Tichau commented 3 months ago

Thank you for the knowledge, I'll report it as false positive, if other people can do that it'll be awesome. As soon as this warning is of i'll activate to auto upgrade for everyone.