[derefr]

I've always been surprised that autorun wasn't re-enabled when app stores / code signing was introduced. If Microsoft or Apple is willing to sign an installer saying that it's something safe to install, isn't that proof enough to let it run when you insert the USB key it's on?

I know this isn't really very relevant for the specific combination of installers and physical media any more, since it's rare for anyone to be trying to install something off a CD/DVD/USB these days (other than a new OS, of course.)

But I could see the use case for physical media doing something other than running an installer (e.g. DRMed disks launching the equivalent of a FUSE server to mount the "rest" of the disk); or for non-physical media (e.g. macOS DMG disk images) being able to autorun their embedded installer. Either way, the code signing that the platforms are already doing would be enough to make these safe, no?

[toast0]

Windows code signing does not include a step where Microsoft inspects the code. The developer gets a certificate from a commercial CA and signs the code. If the certificate is an EV certificate, that's basically it. If it's a regular certificate, Windows does a callback to Microsoft that seems to just be a popularity check --- if the certificate has been used a lot, then the prompts go away.

At best, Windows code signing lets you know who signed it and that that person was able to pay a CA some money, not that it's safe to run.

[derefr]

Regular developer code-signing, yes. But I'm talking about the code-signing that's done by Microsoft (rather than by your own Microsoft-signed cert) on the Microsoft Store backend; or the code-signing that's manually done by Microsoft when a third party submits a driver package to them for inclusion as a Windows update.