none
SmartScreen says that our app is untrusted with a SHA 2 certificate

    Question

  • Hello,

    Before we had a certificate sha1 and never had a problem with SmartScreen, since 2016 due Microsoft requirements, we reissued the certificate sha 2 and now we signed the app with both: SHA1 and SHA2 with timestamps, but then SmartScreen Windows App started to notify that our application is untrusted. How can we solve that problem and pass through Smart Screen App?

    Thanks for your help!


    Friday, January 29, 2016 3:38 PM

Answers

All replies

  • I would recommend that you examine your SHA1 and check to see if it is using the "must staple" extension.  Windows will not accept the "must staple" extension after 1/1/2016, which sounds like what you are encountering.

    Let me know if this answered the question by marking it as answered.  I will be happy to assist more if that is not the case.

    Hope this helps out.


    Sam Stokes

    Friday, January 29, 2016 8:11 PM
  • Hi Sam,

    thank you for your reply! We suppose the SHA1 doesn't use "must staple" extension. I copy/paste the info about our certificates, it would be great if you can check it! 

    »»SHA1 Certificate:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: ...
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
            Validity
                Not Before: Aug 19 00:00:00 2014 GMT
                Not After : Nov 17 23:59:59 2016 GMT
            Subject: C=RU, O=Open Media LLC, CN=Open Media LLC
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
              ...
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Key Usage: critical
                    Digital Signature
                X509v3 CRL Distribution Points:
                    Full Name:
                      URI:http://sf.symcb.com/sf.crl
                X509v3 Certificate Policies:
                    Policy: 2.16.840.1.113733.1.7.23.3
                      CPS: https://d.symcb.com/cps
                      User Notice:
                        Explicit Text: https://d.symcb.com/rpa
                X509v3 Extended Key Usage:
                    Code Signing
                Authority Information Access:
                    OCSP - URI:http://sf.symcd.com
                    CA Issuers - URI:http://sf.symcb.com/sf.crt
                X509v3 Authority Key Identifier:
                    keyid:...
                X509v3 Subject Key Identifier:
                    ...
                Netscape Cert Type:
                    Object Signing
                1.3.6.1.4.1.311.2.1.27:
                    0.......
        Signature Algorithm: sha1WithRSAEncryption
             ....

    »»SHA256 Certificate:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: ...            
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA
            Validity
                Not Before: Jan 27 00:00:00 2016 GMT
                Not After : Nov 17 23:59:59 2016 GMT
            Subject: C=RU, O=Open Media LLC, CN=Open Media LLC
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus: ...
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Key Usage: critical
                    Digital Signature
                X509v3 CRL Distribution Points:
                    Full Name:
                      URI:http://sv.symcb.com/sv.crl
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.4.1
                      CPS: https://d.symcb.com/cps
                      User Notice:
                        Explicit Text: https://d.symcb.com/rpa

                X509v3 Extended Key Usage:
                    Code Signing
                Authority Information Access:
                    OCSP - URI:http://sv.symcd.com
                    CA Issuers - URI:http://sv.symcb.com/sv.crt
                X509v3 Authority Key Identifier:
                    keyid:...
                X509v3 Subject Key Identifier:
                    ...
        Signature Algorithm: sha256WithRSAEncryption
    Saturday, January 30, 2016 10:27 AM
  • Might try them over here.

    https://social.msdn.microsoft.com/Forums/ie/en-US/home?forum=iewebdevelopment

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, January 30, 2016 1:47 PM
    Moderator