Airflow Matt
Aug 26, 2018 · 2 min read

Globalsign will revoke your code signing certificate no questions asked. Apparently they have never heard of antivirus heuristic and false positives. If you ship software for living, look somewhere else.

I’m still processing this. The sheer level of incompetence is mind blowing. Friday night I received email stating that revocation for the certificate used for signing all our releases is complete. Wait, what?

I logged into Globalsign webpage and lo and behold, the certificate was indeed revoked. I immediately called US support number (which was still operational) and tried to find out what the hell is going on. After some digging the person on the other side informed me that a security researcher contacted them telling them that the certificate was used to sign malware.

That was the second WTF moment that night. Malware? How? I build all releases from scratch, including every single dependency library. The certificate is stored in Security token, which is a physical device that needs to be plugged into USB port in order to codesign. There is absolutely no possible way this certificate was used to sign any kind of malware.

So I demanded more details. And I got them. Apparently the self-proclaimed security expert who contacted them used VirusTotal API to get hashes of scanned files flagged for malware that were codesigned and submitted those, in CSV file, to certificate issuers.

I was left speechless. Have none of those people ever heard of antivirus false positives? As if it was not bad enough that it took us months of getting back and forth with various antivirus companies, submitting countless samples, in order to get to stop their broken heuristics flagging Airflow as false positive. With hundreds of emails from users where we had to explain that no, there is no malware in our software or that it got broken by their antivirus software removing falsely flagged files.

And now one “security expert” takes hashes of those old scans, sends them to Globalsign and they just nuke the certificate without even bothering to get any feedback from their paying customer?

What kind of security researcher is unaware of antivirus heuristics and false positives? Same question goes for GlobalSign Security Team.

Oh, and just now, almost two days after the revocation I received email from Globalsign that they received abuse report and will revoke the certificate in 24 hours. I guess in their world time travel is a thing.

The certificate is gone, alongside with the SmartScreen reputation and globalsign support is unavailable during weekend.

But the worst thing of all is that this is very scary. Our livelihood depends on being able to ship windows software, which needs a valid codesign certificate, that is not only expensive, but can also apparently be now revoked no questions asked, just because broken antivirus heuristics year ago thought it found malware where there was none.