Any downsides to overwriting certificate signatures of dependency files already signed by Microsoft?

Question

I am adding EV code signing to my build process of a .NET program and I ran into a dilemma. I initially wanted to sign all .exe and .dll files in my release directory but I now realized many of the dependency .dll files are already signed by Microsoft.

Is it OK to overwrite the certificate signature with my own, effectively removing Microsoft’s signature? I am worried this may trigger additional false positive detections by Windows Defender since it probably trusts files signed by their own cert the most.

If I want to avoid overwriting it, I have to make my build process less robust and manualy set entire paths to only files that I want to sign and I would like to avoid that, if there are no downsides to overwriting. Thanks.

Answer 1

You can check if a file is already signed, and only sign unsigned files.

I use powershell's Get-AuthenticodeSignature since my automation is done via PoSh anyway. Then it's easy to do:

...
$sig = Get-AuthenticodeSignature $filename
if ($sig.Status -eq 'NotSigned') {
  ... add file path to list of files to sign
}

---

Unrelated side note: If your build is not run via powershell, e.g. if you run this in a VS PostStep, make sure that you do not call a new powershell.exe for each file you want to check, as the startup of powershell.exe can be quite significant (100-200ms for 100eds of files adds up)