Certificate Expired
What is a certificate
Code signing certificates are issued by authorities after proof of identity checks. Code signing certificates are digital attestations of identity that can be imprinted in software during compilation. They attest to the creator being reputable and provide a digital signature which theoretically cannot be forged/faked by hackers and tracks back to the owner of the certificate. When imprinted, it furthermore, indicates that the software has not been altered after signing.
In the past it was easy
In previous years the DCP has always been code signed. Obtaining certificates was not too cumbersome and certificates could be downloaded once issued and installed in to the certificate cache on windows. Requirements for running software on windows have become more strict over the years. We have all seen the warnings for software when downloaded from internet. To get around the issues of warnings creators now have to purchase an Extended Validation certificate. Certificates can no longer be downloaded but must be sent out on hardware tokens.
Go for Extended Validation
This year it was decided to upgrade to an EV certificate. In February the code signing certificate was due for renewal. The process of obtaining a code signing certificate is becoming increasingly complex. The requirements for satisfying identity attestation as a company requires providing legal documentation (similar to an individual scoring identity points during application for a passport). It is more convoluted, and time consuming and you have to factor in certificates being issued on hardware tokens that are delivered by post from overseas. The application process is all online and managed from overseas, where they have no knowledge of local laws or ATO and thus it takes some time to get through the validation process. As part of the process this year we had to consult the tax office and obtain a new company name to meet the stricter requirements set in place this year by the certificate authority.
Certification achieved
The certificate issuance was eventually made and a hardware token was snail mailed from overseas.
When the certificate arrived it was immediately put to use.
However the certificate name was incorrect and we requested a re-issuance with correct naming.
The certificate issuance company agreed as the 30 day time limit for cancellation/update had not yet expired.
Great you would think.
Not Great.
The issuance authority revoked the existing certificate and further requested that we reapply for new certificate.
The real disaster
Unfortunately when revoked, any installed software under a revoked certificate may stop working depending on the security policies in place on the windows machine.
A revoked certificate will also prevent installation on some windows machines where policies prevent installation although some may allow installation by clicking through warnings.
A further complication is that the ClickOnce method of distributing does not allow rolling back to a previous version as it will throw an error when software is started if the incoming rollback update is not a later version but in fact an earlier version.
No way forward and no way back.
For some it requires uninstalling the software and installing from an older version that had been signed by an older non revoked certificate.
Some users can get away with just using the installed software and have no warnings - interesting and confounding.
Hanging in limbo
So with no active certificate and a revoked certificate applied on existing distributed software there is no way to allow users to run the software.
Leaves the software hanging in limbo til a new certificate is received and used to create the next update of software.
The Temporary Solution
We have rolled back the Beta version (by a few weeks) to a version signed with non revoked certificate. This will allow users to install the Beta version of DCP software. If the Beta version is already installed and a later version it will need to be uninstalled using the windows "Add or remove programs".