In June 2022, DigiCert introduced the new cross root "DigiCert Trusted Root G4" to resolve compatibility issues with legacy timestamp clients. The introduction of the cross root was for the timestamp certificate to chain to a more ubiquitous root that was already present in the root stores of legacy systems.
As part of this change, the new cross root included only the Time Stamping (220.127.116.11.18.104.22.168.8) EKU attribute. Because this same cross root would also be used as part of the digital signature chain, Windows was unable to validate the code signing certificate chain due to the limited EKU.
When checking the digital signature or executing the signed program on all Windows machines missing the new ICA “DigiCert Trusted Root G4”, errors similar to the following may appear:
On August 8, 2022, DigiCert published a new, permanent cross-signed intermediate CA (ICA) certificate to be used for validation of timestamped digital signatures. This new ICA certificate is compatible with legacy operating systems, resolving a previous problem of legacy operating systems distrusting properly signed code.
DigiCert Trusted Root G4
Valid From: Monday, August 1, 2022 00:00:00 UTC
Valid To: Sunday, November 9, 2031 23:59:59 UTC
For any files signed with the temporary workaround, they will continue working or you may re-sign and timestamp your files without specifying the cross-signed ICA.
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file_to_sign.exe"
Verify the file was signed correctly with this command:
signtool verify /pa signed_file.exe