Code signing - build reputation by double signing?

AndrewR · April 16, 2019, 4:03am

Back when SHA-1 certificates were being phased out, you could double sign an executable using SHA-1 and SHA256 to maintain compatibility with Windows XP validation.

When I renewed my code signing certificate I bought an EV certificate to avoid the period where Windows pops up warnings because it is a new and unknown certificate.

I wondered whether it is possible to get a new certificate overlapping the old one, and maybe double sign the executable so by the time the first one expires the new one has some history? Or maybe distribute executables signed by the new certificate inside the installer signed by the old one?

3 year standard certificates overlapping by e.g.12 months would be a much better proposition than buying EV certificates.

Does anyone know whether this is feasible?

Rhino · April 16, 2019, 8:24am

The double signing thing was a specific case for XP - don’t overthink it.

The algo’s check to see if the certificate was valid for the date the exe was signed. So even if my certificate ran out on say 1st Jan 2019 if I’ve an .exe that was signed in July 2018 then it will still be valid today.

So you don’t need to overlap them.

AndrewR · April 16, 2019, 9:41am

It’s not the validity dates that are an issue, it is when you have a new certificate and Windows warns your users, even though the exe is signed. The certificate is no longer enough - you need to build a reputation with the new certificate.

To get around that you can pay the extra for an EV certificate, or perhaps somehow build the reputation of a new certificate before you use it for the primary signature.

rfctr · April 16, 2019, 3:40pm

This looks like the most straightforward way to solve it, no?

AndrewR · April 16, 2019, 11:08pm

Yes, but you pay a lot e.g. $210 for a regular 3 year code signing certificate, $750 for a 3 year EV certificate.

I had a 3 year regular certificate that worked fine, except for a short time at the start where it was popping up warnings. So it costs $500 just to avoid warnings from a new certificate.

But you’re right, reputation is important enough that it’s probably worth paying for.

PhilS · April 17, 2019, 7:30am

Reputation of a certificate? This is the first time I hear about it. I know there is “reputation” of particular downloaded files for sure, but not of certificates.
Have you got any sources on that topic? Or is it possible you mixed things up?

grujicd · April 17, 2019, 10:57am

Unfortunately, he didn’t mix it up. Windows will display warnings for a new certificate for some time. In my case it lasted maybe for a few days, probably depends on number of downloads as well. I was downloading like crazy from multiple machines/VMs in a hope to speed up that process

AndrewR · April 17, 2019, 12:29pm

Yes, the downloaded file builds a reputation for the certificate, which then passes the reputation on to new files signed with the same certificate. In that way new files (e.g. updates to your application) don’t need to build reputation individually.

When you get a new certificate, the reputation from your old downloads is not carried over so you get warnings, unless you buy an EV certificate.

More information here:

and here:

“As we’ve discussed in the past, SmartScreen builds reputation for both individual
programs and for the certificate used to sign that code. Code signing is important
to our reputation intelligence because this higher level identity allows us to build
reputation across multiple programs signed by a publisher. It is also important
for publishers because signed programs inherit the reputation of the certificate
with which they are signed; this means every program a publisher distributes doesn’t
need to build reputation individually.”

rfctr · April 17, 2019, 10:37pm

Here’s my thinking:

Either the warnings cost you sales, and then you can estimate the losses and decide if the cert worth it based on a hard number
Or the warnings cost you nothing, and then you shouldn’t worry about it