Comment by jonathanstrange
15 hours ago
As someone who is just planning to publish signed desktop software for Windows, this is deeply worrying. What reasons could there be for cancelling a certificate, especially when it has been used for years and the identity is already established?
Are there some ways to combat such decisions legally?
Perhaps not legally, but technically, you have an option: don't use the Microsoft Store. This isn't as wild a suggestion as it may seem to non-Windows users: the store is barely used by Windows users. You can get your own code signing certificate from a public CA, sign your own installer, and post it on your website. This is still the primary way that Windows software is distributed. Microsoft does not have a hand in any part of it; they can't cancel anything. Their only role is including the public CA in their root certificate store. If you're not shipping a kernel driver, you don't need Microsoft's permission for anything. You can still ship an .msix installer which is the same technology used by the Store.
I recently de-listed my app in the store and closed my Microsoft developer account. I was wrong for having bothered with it; just a waste of my time for no benefit. Stick to your own deployment.
It’s become neigh impossible to get your own code signing cert these days. The 2025 update from the CA forum required code signing certs to be short lived (no more three or five year certs) and stored exclusively on an HSM. As a result, most companies cross-signing these certs have moved to a subscription PaaS model where you are issued a cert but never receive custody of it, and perform signing via their APIs, and are at their mercy should they decide to block your account.
Anyway, even if you could get your own cert it would be same thing: MS could revoke or blacklist your indicate cert (though usually the grounds for doing so are much less shaky than your account being suspended for vague “tos violations”)
I was afraid of the HSM at first but for an open source developer (rather than a big company) I found it wasn't a big deal. I can't sign in GitHub Actions and I have a USB stick that lights up when I sign releases, but it hasn't been a blocker. I got mine from Sectigo Store. This isn't hypothetical, I really did it, I've got the HSM, it works. It wasn't difficult. It just cost some money and a little bit of time. "Nigh impossible" is a tremendous exaggeration. I'll concede "annoying and expensive" perhaps. If you've got the money, you can get the HSM. You don't have to re-buy the HSM when you renew your certificate.
The Microsoft Store account was painful to set up, I'll note. My developer account had also been cancelled by Microsoft for unknown reasons, and I ultimately had to set up a brand new one. New email, new name. My new account has my middle initial because I couldn't clash with the existing, closed account. My first and last name alone are banished forever from the store.
The "same thing", as you concede, isn't the same thing. Quantity has a quality of its own: one happens all the time and we're reading an article about it happening right now. In the comments there's another prominent maintainer who it happened to, and it happened to me personally! That's three right here! The other happens so infrequently that people in this same HN thread are complaining that it isn't happening enough. Can you find an example that's like Veracrypt and WireGuard? In practice, it seems they rarely do this, even when they should. You can actually view the list under "Manage computer certificates" > "Untrusted Certificates." On my computer the entire list is 20 certificates.
I'm standing by my suggestion, 100%. These aren't equivalent risks at all.
3 replies →
Yep. OS level stores are just way for the org to exercise control over installs.
I have stay far away from that process for a long time. Apple MacOS seems like the worst in that department IMHO.
what do you mean? mac doesn't require the use of the store at all, or even an apple id to use your computer
I have found that MS still blocks my signed and timestamped .msi files for at least a few days. From saving the downloads in Edge and then via Smartscreen once you get it downloaded.
If I submit it manually for every update it tends to go better. If more people download and install it whitelists faster. But that is highly annoying, orwellian bullshit. Might even be anti-competitive or downright illegal.
I see the same behavior with my MSIs. I've had better luck with my MSIXs. As much as I like being Store-free, I have a June 2025 release of an MSI-based app that still gets dinged by Edge and again by SmartScreen. A different MSIX-based app, with almost no users, gets dinged by Edge but not by SmartScreen. It's the same certificate. I can never be sure what other users are seeing, though.
tbh, I thought that I had built enough reputation on this particular MSI release, until testing it just now. Hate to see it :(
1 reply →
Thank you for that. Although it may be unlikely, I'd love to see a mass exodus away from their failed attempt to emulate all the worst aspects of appstores popularized in other platforms.
I grew up being able to download software and install it, and actually prefer that model (relying on reputational trust of the party publishing it, my own verification from other signals researched, or sandboxing techniques where appropriate).
Most users may not be aware, but a rare gem of a version of Windows that refreshingly doesn't even come with the store (or a bunch of the other unwanted bloat) is IoT Enterprise LTSC.
As a lifelong Windows user, the premise of Microsoft controlling what goes on my PC is revolting. I'm buying a tool from them, not a set of handcuffs. If it was some non-profit, open-source group running the store I might be more inclined to trust it. But ultimately the only gatekeeper on a product I own should be me. Otherwise I don't really own it, which leads to problems like this one.
Realistically speaking - anything could be a reason. A shakedown or blocking based on some "nudge" (this might come across as tin-foiled though). Some flag/trip-wires going wrong, more worryingly due to a bug/false alarm - and this is more worrying because in this case semi-incompetent large orgs like MSFT find it really hard to accept it, fix, and move on. Some change in OP's account that either they don't see or haven't realised - some edge case, you never know.
And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.
Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.
This is a concern and risk that has realised itself multiple times over the past decades. There have been multiple stories linked to multiple developers in the past.
If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.
There's more to it. Signed desktop software can be signed by any CA.
Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.
In general this isn't your problem.
Speculation as well and highly unlikely. Microsoft drivers can very well BSOD your machine as well, not a significant or convincing threat scenario and certainly not something that lead to certificate revocation of driver developers. There is zero quality control or review by Microsoft here. Not for their own products and not for third party ones.
Exhibit A:
https://en.wikipedia.org/wiki/2024_CrowdStrike-related_IT_ou...
That's not entirely true. Certain classes of signing keys require driver developers to put their driver through a test battery and submit the results to Microsoft.
1 reply →
According to this: https://x.com/EdgeSecurity/status/2041872931576299888
> ...it seems like they instituted an identity verification policy, didn't notify me about it, and then I guess they suspended accounts who didn't do the verification.
So, make sure you verify your account? Check spam folder regularly? Log in via web interface at least once a year?
> So, make sure you verify your account?
What ? On my computer ? Microsoft really has some nerves. My Microsoft account is scheduled for deletion.
I guess we can assume you won't be releasing any software for Windows in the near future :)
You just have to start living like they do in Russia and comply in advance. Don't do anything "interesting", no encryption, or if you do, make sure you leave breadcrumbs, scratch that, a bread trail for them to easily get access to customer data. An Oracle or Sharepoint integration maybe?