Skip to content
Support
  • There are no suggestions because the search field is empty.

Upcoming Change: new Devicie code signing certificate

From November 17th, 2025 Devicie will switch to a new code signing certificate. The root certificate authority will be changed which may impact customers using application control.

Devicie will soon move its Code Signing Certificate to a HSM (Hardware Security Module) vault as part of general maintenance, and as an opportunity to enhance current practices. To support the HSM, the signing certificate and its root certificate authority will change for all Devicie signed code. These changes may impact customers who are using application control technologies.

Affected customers

  • Customers using application control technologies such as WDAC (Windows Defender Application Control), App Control for Business, AppLocker, Airlock, Threat Locker or any others. 
  • Customers using publisher certificate based allow listing rules for application control

✏️ Note: application control is one of the Essential Eight mitigation strategies. If your organisation is aligned to Essential Eight (or in the process of implementing Essential Eight policies) then you may be impacted by this change. If you are using Devicie E8 App Control policies, you will not be impacted.

Affected application types

  • PowerShell scripts in Devicie back catalog applications
  • PowerShell scripts in bespoke applications
  • Devicie Telemetry App

Required action

If you meet the affected customer criteria above than then you will need to update your allowlisting rule configuration by following the instructions below. 

WDAC / App Control for Business

If you have currently configured publisher certificate rules, then you should have a current rule that looks like this:

<Signer ID="ID_SIGNER_S_E9" Name="Sectigo Public Code Signing Root R46">
<CertRoot Type="TBS" Value="A229D2722BC6091D73B1D979B81088C977CB028A6F7CBF264BB81D5CC8F099F87D7C296E48BF09D7EBE275F5498661A4"/>
<CertPublisher Value="Devicie Pty Ltd"/>
</Signer>
In order to prepare for the upcoming certificate change, you need to add the following publisher rule alongside your existing one:
 

<Signers> section

<Signer ID="ID_SIGNER_S_DEVICIE" Name="Verokey High Assurance Secure Code EV">
<CertRoot Type="TBS" Value="7AD015EE948651896BD2EC10FC5B142BDBACA6B81EDAAB5AE8473A7D18B049C55100BF3A526AE4F056343C218B6F3361"/>
<CertPublisher Value="Devicie Pty Ltd"/>
</Signer>
 <AllowedSigners> section
<AllowedSigner SignerId="ID_SIGNER_S_DEVICIE"/>
 <CiSigners> section
<CiSigner SignerId="ID_SIGNER_S_DEVICIE"/>
 

Other application control tools

For customers using other solutions for allow listing, you should create a publisher rule based on the certificate file provided below:
 

🔐Devicie Code Signing Cert NOV2025