Note about issues with digitally signed B&W applications

Note about issues with digitally signed B&W applications

During the past months, we received a small number of reports describing issues with loading IFX or AFX during Creo startup. Analyzing the problem, we found that the code signature we’re using seems to be lacking compatibility with very old, unpatched versions of Windows or Windows Server that don’t have internet connectivity.

The signature can be understood as a notarial certification for data. It ensures that software originates from the vendor designated in the signing certificate and aids with malware detection. This mechanism is mandatory for Creo addons since Creo version 7 – including the packaged B&W products IFX and AFX. When checking the signature, the certificate authority must be known to the operating system – i.e. the “notary” must be included in the operating system’s list of “notaries”. We checked this using recent operating system versions when we introduced code signing for B&W applications. However, the certificate authority for our signing certificate was obviously not included in very early versions of Windows 10, but added with a later update. The impacted systems were disconnected (“air-gapped”) from the internet and not patched to an up-to-date version. Hence, the missing certificate authority led to said problems during Creo startup.

Not only because of this, we recommend taking care of running an up-to-date operating system version. Recent patch versions of Windows should not be affected by those problems. PTC published two workarounds in a support article: The certificate authorities ‘Certum CA’ as well as ‘Certum Trusted Network CA’ can either be added to the operating system manually, or AFX and IFX can be disabled using config.pro options, if not used. Details can be found in the linked article.