Forum Discussion

Leigh_Marble's avatar
Leigh_Marble
Copper Contributor
Jan 11, 2024

Codesigning with ECC certificate (rather than RSA) - works with SmartScreen?

Hello,   Newbie here at the MS tech community, hope I'm posting this in the right spot. I have a seemingly straightforward question that I haven't found an answer to yet:   Does https://learn.mic...
security
threat protection
Leigh_Marble's avatar
Leigh_Marble
Copper Contributor
Jan 11, 2024

HI LeonPavesic,

 

Thank you for your reply. Do you have a source you can name for Microsoft SmartScreen having ECC certificate support? I have been unable to find any references to it online.

I'll highlight the fact that the certificate I'm using is an EV (Extended Validation) code signing certificate. Sellers of EV certs claim that "An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows." (https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/)

Also the Microsoft malware analysts, who have access to the backend systems that track application reputation, are telling me that "the application [REDACTED] has since established reputation and attempting to download or run the application should no longer show any warnings."

So the problem doesn't seem to be on the backend. Which, combined with the anecdotal evidence of other devs with RSA certificates not having this issue, leads me to guess that there may be a problem on the frontend (i.e. locally with SmartScreen on my laptop).

I did find this Microsoft documentation that ECC algorithms are not supported in another area of the Windows Defender infrastructure:

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels

But I am unclear if this would apply directly to Windows Defender Smartscreen.

Thank you,

Leigh

LeonPavesic's avatar
LeonPavesic
Silver Contributor
Jan 12, 2024

Hi Leigh_Marble,

thank you for the extremely good and detailed answer.

Microsoft SmartScreen doesn't provide detailed public documentation on the specific cryptographic algorithms or certificate types it supports (at least I cannot find it - especially for ECC).
But, from my experience and in general, SmartScreen is designed to work with standard code signing certificates, whether they use RSA or ECC algorithms.
As you mentioned, Extended Validation (EV) certificates, which have a more rigorous validation process, are important for the increase of the reputation of the signed applications.

The documentation you found about ECC algorithms does not directly apply to Windows Defender SmartScreen (another area of the Windows Defender infrastructure).

Your issue is specific because involves the interaction of your application with Microsoft's security options so I recommend contacting the Microsoft Support directly. The should be able to see if the problem is on the backend or on the frontend side.



Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

  • Vitaly_Od's avatar
    Vitaly_Od
    Copper Contributor
    Jan 20, 2024

    Hi LeonPavesic , Leigh_Marble 

     

    SmartScreen will pop up only with Sectigo and Certera (formally Sectigo) EV ECC certificates, ignoring EV certificate reputation.

    The work around is to order certificate on SafeNet, but not on Yubikey, where RSA 4096 is not available.

    The issue is well known among certificates resellers, however instantly declined by Microsoft and Sectigo.

    DigiCert and SSL.COM EV ECC certificates are working as expected, it could be a good option if you already have Yubikey FIPS device purchased.

     

    Best regards,

    Vitaly

Resources