Windows code signing has moved to Azure Trusted Signing

[davidjgraph]

Windows code signing has moved to Azure Trusted Signing: what to expect

TL;DR

Starting with v30.0.0, the Windows builds of draw.io Desktop are signed by draw.io Ltd via Microsoft Azure Trusted Signing instead of by JGraph Ltd via SSL.com. Same project, same maintainers, same source code, same company (we renamed), only the signing identity has changed. For the next few weeks Windows SmartScreen may flag installers as "from an unknown publisher" until reputation builds up against the new identity.

What actually changed

Our previous code-signing certificate (issued to JGraph Ltd by SSL.com) expired on 3 May 2026. The Certificate Authority / Browser Forum mandated in 2023 that all new code-signing certificates be backed by hardware tokens or cloud-signing services , soft .p12 files like the one we'd used since 2023 can no longer be issued.

We evaluated the renewal options. Continuing with SSL.com would have meant either a physical USB token (a non-starter for our cloud-based GitHub Actions release pipeline) or their eSigner cloud service, which had "operational friction" we didn't want to live with on every release. Several projects in our position have moved to Microsoft's Azure Trusted Signing (recently rebranded "Artifact Signing"), and after some testing we did the same:

• Native integration with signtool and our GitHub Actions workflow, no third-party CLI shells, no PIN/TOTP juggling
• Microsoft handles certificate rotation automatically (the actual leaf certificate rotates every three days; CI signs against a stable certificate profile)
• No hardware tokens to manage, ship, or replace
• Microsoft assigns SmartScreen reputation directly to the publisher, which historically builds faster than third-party-CA reputation

We also took the chance to update the publisher legal name from JGraph Ltd to draw.io Ltd, both refer to the same company, but draw.io Ltd is the current Companies House name. The previous JGraph Ltd publisher remains accepted by the in-app updater for several releases so existing installs upgrade smoothly.

What you might see when installing v30.0.0

When you download and run the new installer, Windows SmartScreen may show:

Windows protected your PC

This is the normal warning for any binary signed by a publisher Microsoft hasn't yet seen at scale. To proceed:

1. Click More info
2. Verify the Publisher line reads draw.io Ltd
3. Click Run anyway

If you want to verify the signature before running, right-click the .exe → Properties → Digital Signatures. You should see a signature from draw.io Ltd with a valid timestamp, chaining up to a Microsoft root certificate.

How long does the warning last?

It depends on download volume. Once enough people install v30.0.0 (or any later release), SmartScreen's reputation model trusts the publisher and the warning disappears globally. We expect this to take days to a few weeks. There's nothing you need to do beyond installing normally, every clean install contributes to reputation.

Auto-update users

The in-app updater is configured to accept both JGraph Ltd and draw.io Ltd as trusted publishers during the transition. If you have a previous version installed, it'll pick up v30.0.0 normally, no manual reinstall required.

macOS and Linux

Nothing has changed. macOS continues to use Apple Developer signing and notarisation; Linux packages are unsigned (as before).

Reporting issues

If the SmartScreen warning persists past a couple of weeks, or you see a different/unexpected publisher name, please open an issue on this repo with a screenshot and the full installer filename, that helps us tell genuine reputation lag apart from a real signing problem.

[sscotter]

Hi,

This morning I was using the desktop version of Draw.IO for the first time in a while. I was running 29.3.0 from Jan 9th. I received the following error when Draw.IO tried to automatically update.

Error occurred while fetching updates. 
New version 30.0.0 is not signed by the application owner: publisherNames: JGraph Ltd, raw info: { "SignerCertificate": { "FriendlyName": "", "IssuerName": { "Name": "CN=Microsoft ID Verified CS EOC CA 04, O=Microsoft Corporation, C=US", "Oid": "System.Security.Cryptography.Oid" }, "NotAfter": "/Date(1778534773000)/", "NotBefore": "/Date(1778275573000)/", "PrivateKey": null, "PublicKey": { "Key": "System.Security.Cryptography.RSACryptoServiceProvider", "Oid": "System.Security.Cryptography.Oid", "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData", "EncodedParameters": "System.Security.Cryptography.AsnEncodedData" }, "SerialNumber": "330000E6A063A52A770A8AACA100000000E6A0", "SignatureAlgorithm": { "Value": "1.2.840.113549.1.1.12", "FriendlyName": "sha384RSA" }, "Thumbprint": "7CD31A95EC008ACE58DC0B83800DE639F31DB2E4", "Version": 3, "Issuer": "CN=Microsoft ID Verified CS EOC CA 04, O=Microsoft Corporation, C=US", "Subject": "CN=draw.io Ltd, O=draw.io Ltd, L=Northampton, S=Northamptonshire, C=GB" }, "TimeStamperCertificate": { "Archived": false, "Extensions": [ "System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension", "System.Security.Cryptography.X509Certificates.X509Extension", "System.Security.Cryptography.X509Certificates.X509Extension", "System.Security.Cryptography.X509Certificates.X509Extension", "System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension", "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension", "System.Security.Cryptography.X509Certificates.X509KeyUsageExtension", "System.Security.Cryptography.X509Certificates.X509Extension" ], "FriendlyName": "", "IssuerName": { "Name": "CN=Microsoft Public RSA Timestamping CA 2020, O=Microsoft Corporation, C=US", "Oid": "System.Security.Cryptography.Oid" }, "NotAfter": "/Date(1792702011000)/", "NotBefore": "/Date(1761252411000)/", "HasPrivateKey": false, "PrivateKey": null, "PublicKey": { "Key": "System.Security.Cryptography.RSACryptoServiceProvider", "Oid": "System.Security.Cryptography.Oid", "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData", "EncodedParameters": "System.Security.Cryptography.AsnEncodedData" }, "SerialNumber": "33000000567E8F9D58088EE960000000000056", "SubjectName": { "Name": "CN=Microsoft Public RSA Time Stamping Authority, OU=nShield TSS ESN:A500-05E0-D947, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Oid": "System.Security.Cryptography.Oid" }, "SignatureAlgorithm": { "Value": "1.2.840.113549.1.1.12", "FriendlyName": "sha384RSA" }, "Thumbprint": "FF73F729152A9059805E5E0832449D996EF60411", "Version": 3, "Handle": 2642108494112, "Issuer": "CN=Microsoft Public RSA Timestamping CA 2020, O=Microsoft Corporation, C=US", "Subject": "CN=Microsoft Public RSA Time Stamping Authority, OU=nShield TSS ESN:A500-05E0-D947, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" }, "Status": 0, "StatusMessage": "Signature verified.", "Path": "C:\\Users\\firstname.lastname\\AppData\\Local\\draw.io-updater\\pending\\temp-draw.io-30.0.0-windows-installer.exe" }

I did some digging and came across this discussion. Seemed legit, but with supply attacks the way they are now I did some additional due diligence and confirmed the companies name had changed by checking with Companies House.

https://find-and-update.company-information.service.gov.uk/company/04051179

If it is a grift, its a good one!

I've manually updated to v30.0.0 and everything's working as expected.

@davidjgraph Thank you for all your efforts creating and continuing to maintain Draw.IO.

[davidjgraph]

Thanks for posting. Yes, that seems to be the update message, the attempt to provide both company names doesn't seem to have worked as intended, but hopefully the message will go away soon.

[Liviiaa]

One thing that worries me is the attack vector when not using HW-Tokens, what steps are taken to prevent a supply chain attack?
I understand the friction it could cause though...
Tell me you at least have 2FA on.. 😄

[davidjgraph]

The old cert wasn't a hardware token either, it was a soft .p12 file sitting in our github secrets. I think this new system is better. With Azure Trusted Signing the private key lives in Microsoft's HSM and is never exportable, and the leaf cert rotates every few days. The thing to protect now isn't a key, it's "who can ask Azure to sign", and that's all locked down:

• Azure and GitHub accounts are behind MFA (and SSO), so no signing happens off a bare password.
• Signing only runs from our release pipeline, nothing signs locally or ad-hoc.
• Commits to the release branch are restricted to admins, every change goes through a PR with mandatory review by a second person, plus branch protection. So one compromised account can't push code into a release on its own.
• Releases are reproducible, so a build can be re-derived and checked rather than trusted blindly.

And yes, 2FA is on. 8-)