When signing a Windows exe with an EV certificate via AzureKeyVault, the intermediate certificate isn’t embedded. #58
Description
We use relic as our primary signing tool for Windows executables, with Azure Key Vault as the certificate store.
I’ve encountered an issue where executables signed with relic show a valid signature in the file properties, but Windows SmartScreen still reports “unknown issuer,” even though the EV certificate is valid.
When signing the same executable with AzureSignTool using the same certificate, SmartScreen validation succeeds. After some investigation, I found that relic doesn’t embed the intermediate certificate in the signature.
As a workaround, I extracted the intermediate certificate’s download URL from the AIA extension of the signing certificate and tried to pass it to relic, but I’m having trouble configuring it properly.
Here’s my current relic configuration:
tokens:
azurekv:
type: azure
keys:
my-signing:
token: azurekv
id: https://vault.azure.net/certificates/MyCCodeSigningCert/id
timestamp: true
timestamp:
urls:
- http://timestamp.cert-provider.com
Is there a way to include the intermediate certificate, for example:
tokens:
...
keys:
...
chain: /path/to/intermediate-certificate.crt
timestamp:
...