File Path : c:\program files\rstudio\bin\qt5core.dll
Verification Status : 2148098064
Status Description : TRUST_E_BAD_DIGEST - The digital signature of the object did not verify.
1 :
Subject : C=FI, S=Oulu, L=Oulu, O=The Qt Company Oy, CN=The Qt Company Oy
Issuer : C=US, O="thawte, Inc.", CN=thawte SHA256 Code Signing CA
Serial : 06e9579aab763e72079989c689d2b42d
Thumbprint : a880f2a85e26479432facee768822543ec25dd8c
Not Before : 2017-09-18
Not After : 2020-11-24
2 :
Subject : C=US, O="thawte, Inc.", CN=thawte SHA256 Code Signing CA
Issuer : C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2006 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA
Serial : 71a0b73695ddb1afc23b2b9a18ee54cb
Thumbprint : d00cfdbf46c98a838bc10dc4e097ae0152c461bc
Not Before : 2013-12-10
Not After : 2023-12-09
3 :
Subject : C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2006 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA
Issuer : C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2006 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA
Serial : 344ed55720d5edec49f42fce37db2b6d
Thumbprint : 91c6d6ee3e8ac86384e548c299295c756c817b81
Not Before : 2006-11-17
Not After : 2036-07-16
This was previously posted here:
I've verified this issue persists in the latest version of RStudio Desktop.
I'm going to get told off because I have just posted the same question on another thread.
We too have nessus showing any device running r studio as having a critical vulnerability. Apparently I must "explain to the auditors that the critical vulnerability isn't one, and that all is okay". In other words we must say "trust me it's okay"...... to an auditor.... yeah that's all it takes.
As I said on the other thread, I'm sort of confused that no one seems to care/notice. Is it just me???? This has occurred for over two years (to my knowledge).
It would be poor form for a trusted developer to include third party code that has not been properly signed.
I thought of registering for desktop pro, just so I can make a support call on it. Maybe I will.
When I pulled it from the clusters I got some annoyed students, but as my boss said, if they (rstudio) don't understand why having an invalid signature is a bad practice, how can we trust them with what they are releasing?" She has a point, malware is a lot more difficult to find than invalid signatures, and if they cant spot invalid signatures .....
rstudio users kicked off saying "an invalid signature does not affect the dll, it still functions correctly!". Some people just don't "get it"
I could be mistaken but I believe Rstudio plan for version 1.5 to run on electron rather than qtwebengine.
I also saw that they list your issue as part of an epic 'ghost orchard'.
Qt 5.12.x: vulnerability scan detected that qt5score.dll has expired certificate #2521
Yes, this is an issue with the copy of Qt that is bundled in RStudio and isn't something we can fix. We are going to switch the rendering engine over to Electron in an upcoming release (alpha likely later this year)