A certificate was explicitly revoked by its issuer

[void]

I was recently informed by Microsoft that the voidtools code signing certificate may have been stolen or compromised.

The voidtools certificate was used to sign a wormhole driver.
As a result, Microsoft has added the voidtools certificate to the Windows vulnerable driver blocklist.

This blocklist will be pushed out through Windows Update very soon. (some users may have already received it)
Any software signed with the compromised voidtools certificate may stop working with the following error:

A certificate was explicitly revoked by its issuer



I'm in the process of getting a new code signing certificate.
I will be resigning all my software using the new certificate.



I am sorry for letting you all down.
Thanks for your patience while I sort this out.

[abr01]

All Good! Why is this Alpha anyway? Feels like a matured Beta to me, at least!
And shame on those filthy certificate stealers!

[ChrisGreaves]

I am sorry for letting you all down.

Void, I don't feel that you have let me down.
I'm not sure why you are apologising for a worm(?) stealing your certificate(?)
No matter.
I know that your software is maintained well and that you are on top of matters like this.
No need to reply.
Cheers, chris

[nod5]

Very sorry to hear this, must be a huge hassle to deal with. I hope you swiftly get a new certificate and that the issue with Microsoft gets resolved.

My installs of Windows hasn't so far seen any certificate errors for Everything.

Apologies in advance for now possibly piling on with things for you to do or if the following comes across as hostile. It is intended to be constructive. But given the "may have been stolen or compromised" statement and given that the linked CVE post is from 2023, users may raise worries and questions about the integrity of the computers used to compile the 1.5 alpha releases and maybe even some v1.4 releases. As Everything is closed source there are no public CI/CD build recipes and logs to inspect to settle such worries directly by letting users and third parties examine them. That means users have to trust you. An additional factor here is that your contact and about pages are minimal, just a name and email, and and that very little other information about you appears to be available online. Of course not everyone has an online public presence with personal information for example about where they work or their education. But having that can be relevant for trust. Given all this i think it would be useful if you could assuage worries about the integrity of earlier releases by saying more how you've checked your dev enviroment and releases for possible tampering.

[mohsyn]

@Void Does that mean existing alpha version which is running will stop working soon ?
Can it be prevented by not updating windows until a solution from you arrives ?

[phil2search]

Very sorry to hear that too.
I hope that you can find how that happened to make sure they did not steal anything else from you or put your personal information in danger.

I think I am not exagerating if I say we are all grateful for what you have been doing.
A colleague thanked me no later than this afternoon for showing telling him about "everything" (probably what triggered me coming to check here if there was any update).

And just for reference, my phone service provider and one of my insurance company did not tell me they were sorry and that they felt they let me down when they let someone have my personal info. We all want to hold ourselves to the highest standards, and not cause problems for other people even when it is not our fault but things happen in life.

Cheers
Philippe

[void]

All Good! Why is this Alpha anyway? Feels like a matured Beta to me, at least!

This doesn't apply to just Everything 1.5.
All my other software will also stop working including Everything 1.4.

I'm not sure why you are apologising for a worm(?) stealing your certificate(?)

This should never have happened.
I am strengthening my code signing process.

users may raise worries and questions about the integrity of the computers used to compile the 1.5 alpha releases and maybe even some v1.4 releases.

My dev environment is clean and I am not seeing any evidence of tampering.
I have made the decision to open source Everything.

@Void Does that mean existing alpha version which is running will stop working soon ?

In short, yes.
From what I have seen the certificate check appears to only apply to new exe files.
If you have Everything already installed, it should continue to work.

Can it be prevented by not updating windows until a solution from you arrives ?

Yes, but I don't recommend doing this.
I should have a new certificate within a week.

[Net7]

Glad they finally got back to you about what the frack is going on.

You didn't let us down, this has happened to bigger more funded projects/software/company's.
Pissants gonna pissant when it comes to the deplorable clowns that did this.

Keep up the good work, dont rush it, waited this long, the delay will be pain but it is what it is.

[anmac1789]

Can it be prevented by not updating windows until a solution from you arrives ?

Yes, but I don't recommend doing this.
I should have a new certificate within a week.

Does this mean after you get a new certificate that newer alpha versions will release ? and also to add whoever stole your software is a moron because everything is all I ever use instead of any other software. it saved me countless hours of work especially with integrating excel. Thank you from Canada <3 with love

[void]

Thank you for all the support.

Does this mean after you get a new certificate that newer alpha versions will release ?

Yes.
Now that I know the reason for the revocation, I can start releasing new alpha versions with a new certificate.

[NotNull]

I have made the decision to open source Everything.

Because? I mean: What is the reasoning behind this?

[void]

Trust.

[anmac1789]

I can't wait the future of everything I just know new things are inbound !!

[w64bit]

I have made the decision to open source Everything.

Please don't.
The code is too valuable.
We already trust you and Everything.

If the code is going to be open source, it will be used to do harm, not to help.

[TheBestPessimist]

> I have made the decision to open source Everything.

Like other people voiced before me, I have mixed feelings about this as well

[void]

Details on the driver signed by voidtools:
https://www.virustotal.com/gui/file/e44c3793d335b18b8d4d29ef2a6fd94045f03825f8652fa80a167fef6c3ce949

[anmac1789]

Details on the driver signed by voidtools:
https://www.virustotal.com/gui/file/e44c3793d335b18b8d4d29ef2a6fd94045f03825f8652fa80a167fef6c3ce949

oh my lord, who the hell compromised this

[nod5]

My dev environment is clean and I am not seeing any evidence of tampering.
I have made the decision to open source Everything.

Thanks for the reply. That's super good news! I think open sourcing combined with a new certificate for releases should effective answer any worries about the integrity of the software!

If you currently have revenue arrangement for some corporate users of Everything, or plan for that in the future, then the details of how to precisely open source it and possible license changes will matter a lot. I hope there's a great future for Everything as open source while you have streams of income from the time you spend working on it. Take time to choose your path forward wisely for the terrific piece of software you have created.

The current license https://www.voidtools.com/License.txt is MIT I think (I say I think only because "MIT license" isn't mentioned on that page, but it looks verbatim to https://opensource.org/license/mit ). That allows for profit clones and since Everything is so useful it seems likely that some would try to reuse its code in various ways. Some software and software devs live and thrive with a MIT license. There's value in being the original, in providing support and customizations and in pushing the feature set forward. But others choose other paths e.g. restricting for profit use or dual licensing to ensure some revenue in cases of corporate use or for profit code reuse.

In a more reasonable world I would have expected Microsoft to pay you very handsomely to just make Everything a part of Windows or at least Sysinternals/Power Toys. Microsoft's own search tools are so much worse and there's nothing close to Everything in terms of speed and features in the Windows or Linux ecosystems.

[therube]

I have made the decision to open source Everything.

IMO, do that only because you want to do that, & not for any other reason (such as "trust").
("Open source" does not make a program/person "trustworthy".
Being compromised or making a wrong decision does not make one untrustworthy - only human.)

[nod5]

"Open source" does not make a program/person "trustworthy".

True, but open source and automated public builds lets you and others inspect the code and the build recipes and also lets you compile the code yourself so that you know that the binaries are made from that exact source. Which is an alternative or complement to putting trust in the creator of the software. (Open source is a huge topic, but I'll stop here.)

[w64bit]

... lets you and others inspect the code ...

In order to inspect the code you must have at least the same attention, precision, determination, competence as void.
There is no one like him. He is unique.

[win32]

void,
Have you actually established that there was actually a private key leak?
When you first posted about it I managed to find the executable of this malware: https://www.virustotal.com/gui/file/fd5 ... 3f/details

The thing is, to my understanding, that even though it carries your signature, the certificate doesnt sign the hash! It's not that the cert is revoked, the hash itself doesnt match the signed hash! (I dont know why anyone would do this)
Today I noticed that your virurtotal link gives exactly the same cert error code: "The digital signature of the object did not verify.", so I wonder if it is a similar case.

In addition, why in your OP the referenced article talks about BYOVD? Did someone point it to you?
If it is so, and although your software isn't a driver, I wonder if the whole issue is some kind of vulnerability to everything which allows write access from the service process by a third party, and all the rest is a case of broken telephone. If they had the certificate they wouldnt talk about broken "drivers".

Sorry for the speculative nature, just allow me this shot just in case!

[anmac1789]

void,
Have you actually established that there was actually a private key leak?
When you first posted about it I managed to find the executable of this malware: https://www.virustotal.com/gui/file/fd5 ... 3f/details

The thing is, to my understanding, that even though it carries your signature, the certificate doesnt sign the hash! It's not that the cert is revoked, the hash itself doesnt match the signed hash! (I dont know why anyone would do this)
Today I noticed that your virurtotal link gives exactly the same cert error code: "The digital signature of the object did not verify.", so I wonder if it is a similar case.

In addition, why in your OP the referenced article talks about BYOVD? Did someone point it to you?
If it is so, and although your software isn't a driver, I wonder if the whole issue is some kind of vulnerability to everything which allows write access from the service process by a third party, and all the rest is a case of broken telephone. If they had the certificate they wouldnt talk about broken "drivers".

Sorry for the speculative nature, just allow me this shot just in case!

That's an interesting find

[void]

Have you actually established that there was actually a private key leak?
When you first posted about it I managed to find the executable of this malware: https://www.virustotal.com/gui/file/fd5 ... 3f/details

The thing is, to my understanding, that even though it carries your signature, the certificate doesnt sign the hash! It's not that the cert is revoked, the hash itself doesnt match the signed hash! (I dont know why anyone would do this)

I saw this too and have asked Microsoft for confirmation.

In addition, why in your OP the referenced article talks about BYOVD? Did someone point it to you?

Microsoft stated that my code signing certificate was used for both user side malware (installing the driver) and the kernel driver itself.
Microsoft linked me to this page. This article is about the malware that my certificate was used to sign.

If it is so, and although your software isn't a driver, I wonder if the whole issue is some kind of vulnerability to everything which allows write access from the service process by a third party, and all the rest is a case of broken telephone. If they had the certificate they wouldnt talk about broken "drivers".

I suspected this too, when I asked Microsoft they said my certificate was used to sign the kernel driver.

I am going to have to ask Microsoft for proof as I am starting to have doubts..



This malware was not signed on my dev PC.
If my private key has leaked, there's a good chance the Everything source code has leaked.



On a side note, I have requested and paid for a new EV certificate + key locker with digicert and it is currently being validated.

[anmac1789]

Hi void do you know when you get it ?

[void]

I will ask digicert today to see how long it takes..
I would assume only a few days..

[void]

digicert:

The validation team tends to be quick. As far as I've noticed, it can take less than a day depending if they are able to validate during an organization's business hours, but also bear in mind that there are many validation requests to also review and process

[void]

I have my new EV code signing certificate: voidtools PTY LTD

Thanks for your patience while I setup my new certificate.

[NotNull]

Trust.

Whose trust?
Companies don't care. Users don't care. DigiCert doesn't care (they even had there own "Oopsie!" where (tens of?) thousands certificates needed to be revoked at once).

Trust in what?
Trust in you as a developer? Everyone who visits the forums - even if only once in a while - will conclude that you are trustworthy. That can't be faked consistently over such a long time.
Trust in Everything? Before the "certificate-crisis" people installed Everything too. They had to trust the product for that. They will still do so now (I guess in the end most won't even notice this happened).
Your systems turned out clean, the source code is unaffected. What is not to be trusted?


Leaked certificates happen all the time. High profile cases like the ones of Microsoft and Nvidia, but tons of others too. And you and everyone else still use their products ...
And in this case I'm not even convinced the certificate even actually leaked.This whole case feels off. Too many inconsistencies and loose ends.


Anyway, if you did not plan to open-source Everything the week before the certificate-soap started, please don't do so now.
Everything is better of as closed source . At least for now. (might explain later why I think so)

That is my opinion on the matter.

[NotNull]

True, but open source and automated public builds lets you and others inspect the code and the build recipes and also lets you compile the code yourself so that you know that the binaries are made from that exact source.

Without the certificates to sign the code, the binaries will differ and can't be compared.

Or like Visual Studio Code: the (open) sourcecode is clean, but the distyributed packages based on that contain telemetry components.


"Fun" fact:
Most common cause (according to "Internet") of leaked certificates is code being posted online, on a server (VPS) or storage (AWS) that wasn't locked down properly. People write scripts to scan these resources, downlaod the private certificates and brute-force their password.
What surprised me was *why* they needed these certificates: to sign their game cheats so the game did not block it..

[GSD]

(might explain later why I think so)

Please do, if and when you have the time. I do not have a qualified opinion on the matter but have heard a "million" ovations for FOSS, yet very few if any arguments for keeping non-commercial software closed source. Off the top of my head, I guess there's the reasoning that bad actors can find vulnerabilities in the source and opening it up therefore starts an "arms-race". What else is there?

[phil2search]

Companies don't care. Users don't care.

I don't think that is true. It is a more complex and I assume that Void thought about it already.

Investing time on software and relying on it for processes creates a dependency. If the software become unavailable or expensive because of a business decision, then it is a problem. Open source will be like an insurance for long term availability and, as a user, I consider that when investing time (especially when the learning curve is steep).

Conversely, I have worked with some companies (the very large type) refusing as a policy to use software that they did not purchase from someone. Responsability issues covered by contracts. For some it can be open source but someone needs to sell it.

Open source is not black and white. Open source is a tool, you need to know what you use it for.
There is not much in common between open source evangelists and google but both seem happy with it.
They are many different business/organizational models and we have no idea what type of model Void would be interested it.

Trust in what?
Trust in you as a developer? Everyone who visits the forums - even if only once in a while - will conclude that you are trustworthy. That can't be faked consistently over such a long time.
Trust in Everything? Before the "certificate-crisis" people installed Everything too. They had to trust the product for that. They will still do so now (I guess in the end most won't even notice this happened).
Your systems turned out clean, the source code is unaffected. What is not to be trusted?

Of course you are right on the huge investment in the software and forum making it unlikely that someone who is not trustworthy would do that. And I am of course a daily user so I trust Void and the software. But people not posting on this forum and organizations may have different sensibilities and it depends on how critical the software is. Again, things are not black and white. Examples:

Take Truecrypt (drive encryption). We will never know what happened but pressure on the developper was mentioned as a possible reason for the removal of the software. The source was audited and found ok.
Take xz (open source compression) with a backdoor introduced by fake contributors but eventually found.
Take Keepass (password database) that has been audited several times by non contributors increasing trust.
And, as a side note, when I write some code affecting a lot of data at work, I ask a colleague to check it because I don't fully trust myself I will not do something completely stupid. When looking at something for too long, sometimes I don't see the obvious anymore. The review process helps me (and the software).

Changing the license of source code does not automatically increase the level of trust but it can also be a tool to allow others to look at it.
It depends of the organizational model around the software. Things are complex and we don't know what Void has in mind.

[void]

Whose trust?

Users.
Users should care.

Trust in what?

Trust in me as a developer and as a publisher of software.

Everything can be seen as different from other software.
Everything has a service with unlimited access.

Anyway, if you did not plan to open-source Everything the week before the certificate-soap started, please don't do so now.

I had made the decision before the start of this topic.



Why open source now?
The internet has become a very hostile place.

Everything is better of as closed source . At least for now. (might explain later why I think so)

I would love to hear your input.



I am going to start of small by opening sourcing ES, then Everything 1.4, then eventually, Everything 1.5.

[w64bit]

Everything can be seen as different from other software.
Everything has a service with unlimited access.

I am going to start of small by opening sourcing ES...

I think that opening sourcing only ES it's enough.

[anttin]

@void,

I am so glad that you got the certificate problem fixed, it has been difficult to live without being sure if you will be able to continue developing this absolutely excellent software anymore!
I couldn't survive (on computer) without Everything

Don't blame yourself for some idiot stealing (if that is actually the case, the story seems a bit suspicious, not on your side but MS) the certificate. As others have said, that happens all the time.

I also hope that you don't make Everything open source, it is so unique software that you should keep it to yourself.
Trust is not a problem, at least I and it seems all others here trust you

Especially the 1.5 has many incredible features that make it easily replace Explorer and any other file managers (I have Directory Opus but haven't needed it for a long time, Everything is much better). BTW, I agree that 1.5 should be at very least beta, I have been using it for long time daily and have had no problems so it could be released officially.

So welcome back, keep up the excellent work, thank you! And now there is the new version with new certificate, I'll get it right away

[dougbenham]

I'm looking forward to open-source of Everything. I feel like many of your users have technical/coding background and maybe can help add features & fix bugs (if you are open to receiving pull requests).

[nod5]

Without the certificates to sign the code, the binaries will differ and can't be compared.

I'm not involved in such work myself but have the impression the signing can be separated:
The process would be Source Code → Build Process → Unsigned Binary → Signing → Signed Binary
Software creators can use GitHub for open source code hosting and building and can provide both the unsigned and the signed binary and their hashes.
Others can then inspect the difference between those binaries with hex dump tools or hash compare the functional code part of the binaries (signing is only a small part of the overall file).

I'm curious why a few in this thread are against Everything becoming open source.

[mohsyn]

Void,

Everything has revolutionized search for millions. Since you're already thinking of moving toward open-sourcing, this is a pivotal moment for the community.
Some may have concerns, but open-source projects thrive because of collective effort and trust and diverse ideas.

By sharing its code, Everything could become the foundation for all things search-related, ensuring innovation and longevity.
Those who truly understand its power will see that opening it up is a step toward progress, not risk.

Let Everything become "The thing" of search.

on that note however cliche it may sound, Thank you for Everything.

[anmac1789]

alot of linux software is open source already so are hundreds of other windows software too so why should Everything be closed source just because it's more useful than other software? I'm all for open software since Everything is arleady a juggernaut from the very beginning I'm assuming in 2009 but i was in university at that time lol

[horst.epp]

I'm looking forward to open-source of Everything. I feel like many of your users have technical/coding background and maybe can help add features & fix bugs (if you are open to receiving pull requests).

It's not enough to provide GUI elements, name and macro definitions and fancy useless functions for a search tool.
I guess the file system low-level knowledge part for this area of programming is not very common in the forum user base.

[dougbenham]

I'm looking forward to open-source of Everything. I feel like many of your users have technical/coding background and maybe can help add features & fix bugs (if you are open to receiving pull requests).

It's not enough to provide GUI elements, name and macro definitions and fancy useless functions for a search tool.
I guess the file system low-level knowledge part for this area of programming is not very common in the forum user base.

I think you are just saying there is a difference between "script kiddies" and actual programmers. And I'd agree with that. There's a good chance I could fix the few bugs relating to 'duplicate search' that I have found. Maybe adding new features would be a stretch, but finding and fixing bugs is well within the reach of an average coder.

[phil2search]

I'm looking forward to open-source of Everything. I feel like many of your users have technical/coding background and maybe can help add features & fix bugs (if you are open to receiving pull requests).

It's not enough to provide GUI elements, name and macro definitions and fancy useless functions for a search tool.
I guess the file system low-level knowledge part for this area of programming is not very common in the forum user base.

I think you are just saying there is a difference between "script kiddies" and actual programmers. And I'd agree with that. There's a good chance I could fix the few bugs relating to 'duplicate search' that I have found. Maybe adding new features would be a stretch, but finding and fixing bugs is well within the reach of an average coder.

Again. There is a variety of open source projects organizations, goals, and possible contributions.
Contributions can range from documentation and simple scripting to advanced coding, testing, code review, etc. Some of that is coming from this forum already (testing).
People able to do advanced coding may or may not hang out here but some are likely users as microsoft search is so bad. Whether these would contribute is another story. Linux contributors are typically corporate programmers paid for that work as a reminder.

But void may not be looking for such contributions anyways. What he mentioned so far is trust. Period.
How? To be seen... but it means being careful about who he would be accepting contributions from.

[NotNull]

Conversely, I have worked with some companies (the very large type) ..

Me too.

... refusing as a policy to use software that they did not purchase from someone. Responsability issues covered by contracts. For some it can be open source but someone needs to sell it.

My experiences differ. When push comes to shove, those companies decide against their own policies if there is no decent alternative.

Anecdote: in a company with *very* strict security (with good reason ..) I stumbled upon an application that simply could not have worked given these security settings. But it did. After a short research, I found that a hole was punched through the security barrier to make it all work. And that could be exploited by t\others too.
Reply of the Security Officer: We need this application. Please don't tell anyone about the hole...

I do not have a qualified opinion on the matter but have heard a "million" ovations for FOSS, yet very few if any arguments for keeping non-commercial software closed source.

To me, Everything *is* commercial software. Developing Everything is @void's full-time job. His payments come from donations.

A couple of downsides of open-sourcing in general are mentioned here

For the record: I am a proponent of open-source, but in Everything's case less so.

[NotNull]

Everything is better of as closed source . At least for now. (might explain later why I think so)

I would love to hear your input.

Everything is currently being exploited by people that offer Everything for a payment. These bad actors would not do that if it was not profitable.
Ergo: other people buy and install it, even if it is not from the official source.

If Everything were open source, there definitely will be bad actors that compile it themself, after adding their own spyware or other malware (like stealing crypto wallets, because Everything has unlimited access to the system).
And people will install it because Everything has a good reputation. It even looks and feels exactly like Everything does.
(not Everything's fault btw; you can't blame the hammer factory for people using hammers for ill purposes)

If (when?) one of these cases ends up in the news, that would hurt the trust in and reputation of "the real Everything", even though it has nothing to do with it.
(and nevertheless people probably will continue to install it from non-reputable sources without further thinking ..)

[mySearch4Everything]

First of all, a big thank you for providing this excellent tool; it remains unmatched in performance and usability.

Regarding the certificate theft, I have the following question:

In the post <Sat May 17, 2025, 12:11 am>, you wrote: “My dev environment is clean, and I am not seeing any evidence of tampering.” From this, I conclude that all versions downloaded from “voidtools.com” are clean and not compromised.

Is my understanding correct?

If my understanding is correct, then the driver mentioned in the post <Mon May 19, 2025, 3:09 am> was not downloaded from the “voidtools.com” website:

https://www.virustotal.com/gui/file/e44 ... ef6c3ce949

I’m asking because the tool operates at the kernel level, and a compromise could have severe consequences for the entire system.
A rootkit embedded at that level might be neither detectable nor removable with standard tools.

[void]

Open sourcing will improve Everything through contributions and code checking.

In the post <Sat May 17, 2025, 12:11 am>, you wrote: “My dev environment is clean, and I am not seeing any evidence of tampering.” From this, I conclude that all versions downloaded from “voidtools.com” are clean and not compromised.

Is my understanding correct?

Yes. The malware was not created on my dev PC and was never available from voidtools.com
The certificate was most likely stolen.

[eswul62]

Everything is better of as closed source . At least for now. (might explain later why I think so)

I would love to hear your input.

Everything is currently being exploited by people that offer Everything for a payment. These bad actors would not do that if it was not profitable.
Ergo: other people buy and install it, even if it is not from the official source.

If Everything were open source, there definitely will be bad actors that compile it themself, after adding their own spyware or other malware (like stealing crypto wallets, because Everything has unlimited access to the system).
And people will install it because Everything has a good reputation. It even looks and feels exactly like Everything does.
(not Everything's fault btw; you can't blame the hammer factory for people using hammers for ill purposes)

If (when?) one of these cases ends up in the news, that would hurt the trust in and reputation of "the real Everything", even though it has nothing to do with it.
(and nevertheless people probably will continue to install it from non-reputable sources without further thinking ..)

Up front: I am not a developer, am just a simple end-user...

As a simple end-user, frankly, I always felt/assumed that open source software was/is the most reliable software, because it is 'open' and all can see the code and what it is doing(?) contrary to none open source software. Apparently this is quite naive and I should change my perspective towards open source.
How is that controlled then? New releases, they are to be downloaded from some other site? Users need to submit the file to VirusTotal, or what?

That aside, we all, here, are very, very happy the matter of certification has finally been solved. Really great news.

[phil2search]

Aside from all discussions on the benefits or limitations of open source (endless debate, many cases), as the owner of the copyright on the source, void can have multiple licenses for the same software and change it with versions too. In the meantime, Void moved ahead and started by open sourcing the everything server under an MIT license:
https://github.com/voidtools/everything_server

That was the first step of what he announced. We will see what is coming next.
The github page states that "Hosting an Everything Server in a business or enterprise environment requires a Site License."
I don't quite understand what was open sourced but my understanding of the MIT license (https://opensource.org/license/mit) is that it would not prevent that for the source released.
So the enterprise server may have a different source or rely on something else?

[void]

The Everything Server license needs to be more restrictive.

I have updated the Everything Server license.

[phil2search]

Thanks for clarifying. It really was just curiosity from me.
It seemed like the licensing terms did not match your intention.
(I have been involved in scientific open source projects for a while).
Just as an observation, the new license does not fit in the commonly used Open Source definition anymore (https://opensource.org/osd).