Yeah but isn't the point of these certificates to express trust?
replyThe point isn't (or: shouldn't be) to forcefully find your way through some back alley to make it look legit. It's to certify that the software is legit.
Trust goes both ways: we ought to trust Microsoft to act as a responsible CA. Obfuscating why they revoked trust (as is apparently the case) and leaving the phone ringing is hurting trust in MS as a CA and as an organization.
who on planet earth trusts a piece of software because Microsoft signed it?
replyThere are different types of trust, but at the very least with such a signature you can trust that the piece of software is really from Veracrypt and not from a malicious third party.
replyFor one: Most if not all virus scanners.
replyA signature is a signal, not an absolute. Although, to be fair, if Microsoft (or most other CAs) had done a better job, then that trust would have carried more weight than it does currently.
Trust isn't binary, it's a spectrum. A signature is a signal that should increase trustworthiness. Not the strongest signal, perhaps even a weak one, but it's not zero.
replyThat's what VeraCrypt is, a fork of the original TrueCrypt after all drama, security doubts, and eventual discontinuation. It took a long time and two independent audits to establish trust in it.
replyProbably not French though, give how hostile it appears to be to encryption/security related projects (GrapheneOS had a good arguments re: that)
replyThe author is now based in Japan, and even owns a veracrypt.jp domain. Meanwhile, the old veracrypt.fr domain redirects to veracrypt.io.
replySeems rather clear that he doesn't want French jurisdiction.
And Microsoft will be happy to shut that one down because their incompetence.
replySo we'd better find a real solution now.