[tsujamin]

For what it’s worth, Trusted Signing verification has been a moving target over the last 12 months. It was open for individuals, then it was closed to anyone except (iirc) US businesses with DUNS numbers, then it opened again to US based individuals (and a few other countries perhaps).

My completely uninformed guess was that someone had done something naughty with Trusted Signing-issued code signing certificates.

Anyway, when I first saw the VeraCrypt thing this morning my initial reaction was “I wonder if this is them pushing developers onto trusted signing the hard way?”

[michaelt]

I don't know anything about Trusted Signing verification, but I do know from reports on 'mini umbrella company fraud' that if you're a fraudster, there are people in the Philippines who will happily sign their name to western countries' official paperwork in exchange for $2000 or so. Understandably, as that's more than the country's median annual income.

So I can see why offering trusted signing for individuals worldwide would come with certain challenges.

[pixel_popping]

Most RATs are signed, that's a hurdle but it's clearly not a big deal to bypass for criminals, many "SSL companies" provide them, just have to use fake docs and you'll be issued it, many shady services sell those signatures as well and it doesn't look like it cost more than $15 per binary, so obviously, not so secure in practice.

[VadimPR]

I'm in Europe and ended up creating an organization since I have my own company, but they messed up the verification of one of the legitimate documents, and there was no way to reach them once they made that mistake. Frustrating, and definitely a lost customer for them.

[dolmen]

Anyway, when I first saw the VeraCrypt thing this morning my initial reaction was “I wonder if Iran uses VeraCrypt”