Investigate skipping the step of adding Insecure.Com EV cert to Windows trust store in some cases

[fyodor]

Right now we sign Npcap release installers with our extended validation (EV) codesigning certificate, which we also use to sign the drivers. Since the Insecure.Com (formal Nmap Project company name) is of course not trusted by Windows by default, it pops up a warning asking the user whether to trust it and install the software. Assuming the user asks to do this, we load the certs into the trust store before installing the driver to prevent this scary warning from happening again. One down side we've seen is that users with certain monitoring apps create alert when an already-expired cert is loaded into the trust store. It is still legitimate to do so since codesigning certs only need to be used for SIGNING during their validity dates. It's OK for software to check the signature later. However, we might be able to remove the cert-loading step on Windows 10 since we now use Microsoft attestation-signing. Since we have a valid attestation-signature, users don't get the driver install warning anyway. Removing this step might also make the software install finish more quickly. We don't use attestation-signing for Windows 8 and older because those systems don't support it, so we might want to still keep the trust store load for those.

[desowin]

It is still legitimate to do so since codesigning certs only need to be used for SIGNING during their validity dates.

As long as you use trusted timestamp server. If you forget to use timestamping server, the signature will expire together with certificate.

[dmiller-nmap]

The Npcap installer now only installs Insecure.Com code signing certs on systems where those certificates are used to sign the installed driver, i.e. Windows 7, 8, and 8.1. This change was made several releases ago.