1

I've just downloaded composer from getcomposer.org, but a strange thing had happened.

When I clicked "install for all users" button, the UCA says "Unknown publisher", but when I was checking its properties, it displays "Open Source Developer, John Stevenson" and it's a normal signature.

In Extended Error Information Page, it displays: Status: OK, Effective Date: <‎2020‎-‎1‎-‎30‎ 19:00:45>, Next Update: <‎2020‎-‎2‎-9‎ 19:00:45>. (UTC+8)

According this information, does code signing update from a central server? how does this work?

  • 1
    I think that's for the CRL (certificate revocation list): https://en.wikipedia.org/wiki/Certificate_revocation_list https://tools.ietf.org/html/rfc5280#section-5.1.2.5 – browsermator Jan 30 '20 at 22:05
  • 1
    I think it comes from the CA... they probably hold a list or revoked certs and update it. The signature never updates. It can't actually because the hash wouldn't check. – browsermator Jan 30 '20 at 22:12

0 Answers0