Overview

On December 8th 2025, Sectigo abruptly revoked RustDesk’s Extended Validation (EV) Code Signing Certificate without presenting any evidence of malicious behavior or security compromise. This unilateral action immediately disrupted RustDesk users worldwide, triggering false SmartScreen warnings, breaking enterprise deployments, and damaging trust in the software supply chain.

As an open-source remote desktop project used by millions globally, RustDesk takes security and transparency as core principles.

Sectigo’s unjustified revocation — later admitted to be a false positive — represents not only a direct harm to our project but also a serious threat to the integrity of the global digital certificate trust model.

Why Sectigo’s Action Is Unacceptable

According to the CA/Browser Forum EV Code Signing Guidelines, a CA may revoke an EV certificate only when supported by verifiable, auditable evidence such

• confirmed malicious activity,

• verified key compromise,

• fraudulent organization information, or

• legal mandate.

None of these conditions applied to RustDesk.

Sectigo’s decision to revoke a critical EV certificate based on an internal false positive — without evidence, without warning, and without transparency — is a breach of industry standards and a dangerous precedent.

If a CA can arbitrarily revoke certificates, the entire trust system that underpins software distribution becomes fragile.