Overview
On December 8th 2025, Sectigo abruptly revoked RustDesk’s Extended Validation (EV) Code Signing Certificate without presenting any evidence of malicious behavior or security compromise. This unilateral action immediately disrupted RustDesk users worldwide, triggering false SmartScreen warnings, breaking enterprise deployments, and damaging trust in the software supply chain.
As an open-source remote desktop project used by millions globally, RustDesk takes security and transparency as core principles.
Sectigo’s unjustified revocation — later admitted to be a false positive — represents not only a direct harm to our project but also a serious threat to the integrity of the global digital certificate trust model.
Why Sectigo’s Action Is Unacceptable
According to the CA/Browser Forum EV Code Signing Guidelines, a CA may revoke an EV certificate only when supported by verifiable, auditable evidence such
confirmed malicious activity,
verified key compromise,
fraudulent organization information, or
legal mandate.
None of these conditions applied to RustDesk.
Sectigo’s decision to revoke a critical EV certificate based on an internal false positive — without evidence, without warning, and without transparency — is a breach of industry standards and a dangerous precedent.
If a CA can arbitrarily revoke certificates, the entire trust system that underpins software distribution becomes fragile.
Why can’t RustDesk use Let’s Encrypt instead?
Code signing usually requires an extended validation (EV) cert or some other type with more in depth verification.
Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.
Interesting. TIL. Thank you.
I did discover this collection of tools that appears to provide code signing by the Linux Foundation project:
