Does the fact that installed apps failed because a certificate expired not bode ill for Windows?

So supposedly some INSTALLED apps stopped working on some Windows PC’s because a certificate expired on Halloween night. I don’t know all the details, beyond what is written in the KB November 5, 2021—KB5008295 Out-of-band but it does concern me that installed Windows apps stop working at the apparent whim of Microsoft. This makes me wonder what happens in the future when you’re not done with a release by they decide you are. Can they basically revoke your right to use parts of the OS on their own schedule?

Microsoft has used code signing for drivers for well over a decade (Windows XP 64-bit onwards). and the store apps have always been signed (Windows 8 on) and normal desktop applications can also be signed, making them trustworthy.

That always relies on the certificate being valid, either at install time (drivers and applications) or runtime for store apps.

This is the same for most operating systems these days, iOS, Android, macOS, Linux etc. Due to bad actors, unsigned code just can’t be trusted these days.

But it means that the valid root certificates need to be updated in a timely manner on those platforms. It looks like Microsoft forgot to replace one of them in Windows 11. That could easily have been Windows 8, 10, iOS, Android macOS etc.

Apps that are part of the OS (Notepad, Paint, etc) need to be considered PART OF THE OS at all times, not just when MS decides it can be bothered to maintain the certificates. I have a huge problem with parts of my OS getting “recalled” on the manufacturer’s schedule, especially if the OS is meant to be used offline (i.e. isolated) from the network (in a segment of the network/building meant to be very isolated from the “real world”.)

Isn’t Microsoft making a push to remove these from the OS though? Manage them separately from the OS update schedule?

I can understand your view that it’s crummy that apps can be nerfed at the whim of the developer, but at the same time I think cryptographically signing programs is absolutely necessary these days.

1 Like