20230929 - Old roots deprecation by Microsoft
At the end of August 2023, some applications suddenly stopped working on Windows. These latter had in common that they had been signed by code signing certificates chained with old Symantec roots.
The cause ? Without warning, Microsoft would have depreciated old roots of its trust program, impacting dozens of signatures.
What happened ?
Microsoft did not communicate on the incident, however it appeared that certain old roots had been assigned a "notBefore" date making them de facto invalid.
Applications signed by code signing certificates chained to these roots, whether they have been timestamped or not, have then been rejected by Windows.
Troubleshooting
Whether it was an error or a deliberate decision by Microsoft, the firm quickly reversed course and resolved the problem in the days that followed.
Steps to take
It is a safe bet that Microsoft has only postponed the depreciation of a set of old roots and that, in the more or less near future, a similar problem will arise.
Our advice is therefore to re-sign all your applications that were signed before 2018 with a Thawte, Geotrust, Symantec or VeriSign certificate.