In general, I would suggest to let the SetupBuilder compiler code-sign your (SetupBuilder based) apps. The compiler also sets some internal parameters in the apps when you code-sign (with your certificate). Not a problem here with WUPDATE_SSL, because it does not have an embedded uninstaller (which also needs a signature).

Yes, the certificate expired in 2021, but the original clients are timestamped. So the certificate is still perfectly valid. In SetupBuilder 2025, we'll use our highly trusted EV certificate (or our Microsoft Trusted Sign certificate, not 100% sure at the moment) to code-sign. And I think we'll also code-sign all compiler modules (this is a new Microsoft requirement).

As you can see here, no security vendors flagged our file as malicious. But it is still possible that specific security settings lock or block the clients. So sometimes it might help to code-sign with your own certificate (if it has a high trust level).

WUCHECK_SSL.EXE:

https://www.virustotal.com/gui/file/...1024e0254e8c7a

WUPDATE_SSL.EXE:

https://www.virustotal.com/gui/file/...a3a6f4a453e0f2

Friedrich