Code signing

Smart App Control and the Microsoft Trusted Root Program do not support ECC/ECDSA for code signing. Only RSA-based code signing certificates are supported.

Specifically:

1. Smart App Control:
   • Smart App Control allows applications signed with RSA-based digital certificates to run on protected devices.
   • It does not support elliptic-curve cryptography (ECC) signatures.
   • Guidance explicitly states to ensure all applications are signed with RSA-based digital certificates.
2. Microsoft Trusted Root Program (for code signing and SmartScreen-related trust):
   • For code signing and time stamping, the allowed algorithms are:
     • Digest: SHA2 (SHA256, SHA384, SHA512)
     • RSA: 4096 (new roots only)
     • ECC / ECDSA: Not Supported
   • Notes further clarify:
     • “Signatures using elliptical curve cryptography (ECC), such as ECDSA, aren't supported in Windows and newer Windows security features.”
     • “Code Signing does not support ECC or keys > 4096.”
3. EV certificates with ECC:
   • An EV certificate that uses ECC/ECDSA is not valid for Windows code signing scenarios covered by the Microsoft Trusted Root Program and is not supported by Smart App Control.
   • To work correctly with Smart App Control (and modern Windows security features such as SmartScreen that rely on the Microsoft Root Certificate Program for code-signing trust), EV or OV certificates must use RSA, not ECC.

Therefore:

• SmartScreen/Smart App Control do not accept ECC/ECDSA for code signing.
• An EV certificate using ECC is not suitable for signing .exe or .msi if the goal is to integrate properly with Smart App Control and Windows’ current code-signing trust model. Use an RSA-based EV (or OV) code signing certificate with SHA2 instead.

References:

• Sign your app for Smart App Control compliance
• Program Requirements - Microsoft Trusted Root Program
• Artifact Signing trust models
• Smart App Control Frequently Asked Questions
• Cryptography Tools