Security Risk: Self-Signed Certificate (with Exportable Private Key) in Trusted Root CA Store

[InteXX]

I'm not sure that simply removing the additional key usages, as discussed here, is enough.

A greater risk is incurred by keeping it there—and with an exportable private key—instead of the Personal store. Personally, I've moved both of mine to Personal, for both CurrentUser and LocalMachine. I haven't yet removed the exportable flag, but I'll be doing that shortly.

Here's ChatGPT's take on it (much better than I could do):

---

Security Implications of AutoHotkey's Self-Signed Code Signing Certificate

Here’s the difference in terms of security and why moving the certificate to Personal is safer than leaving it in Trusted Root:

---

1. Certificate in Trusted Root

• Trust scope: Anything signed by this certificate is fully trusted system-wide.
• Implication for code signing: Since it’s in the root store, Windows treats the certificate as a CA. That means any executable or script signed with this cert is automatically trusted, even outside the context of AutoHotkey.
• Risk: If the private key is exportable or compromised:
  • Malicious code could be signed and run without triggering warnings.
  • It effectively gives “root-level trust” to a self-signed cert that shouldn’t be a CA.

2. Certificate in Personal store

• Trust scope: Limited to the machine/user context.
• Implication for code signing: AutoHotkey can still sign scripts and executables, and they are trusted because Windows checks personal store certificates for code signing purposes.
• Risk: Minimal. The main concern is still protecting the private key. If it’s non-exportable and only accessible to your account, it can’t be abused system-wide.

3. Key takeaways

• Trusted Root = broader trust, higher risk: essentially allows any signed content to be treated as fully trusted by the OS.
• Personal = limited trust, lower risk: only affects the signing context where it’s intended (AutoHotkey scripts).
• Non-exportable private key: reduces risk further in both cases, but especially critical in the root store.

---

Bottom line:

Moving the AutoHotkey code signing certificate to the Personal store eliminates the systemic risk of a self-signed root CA being abused, while still allowing the intended functionality of signing scripts. Leaving it in the root store is unnecessary and risky, even though the cert can only sign code.

[Lexikos]

AI chat bots are great liars with access to vast information; they are not credible.

Enabling uiAccess requires putting the file in a trusted location, which requires admin rights and effectively makes it a "for all users" installation. The file should be trusted for all users, not just the admin who installed AutoHotkey. Trusting the certificate system-wide is a requirement.

If a process has access rights to use or export the key from the Local Machine store, it already has elevated privileges and can do whatever it wants, including generate a new key and trusted root certificate. It doesn't need to do that though, since it can change program files and such. Leaving the key in the store does not increase risk.

That is, unless you put the key in the Personal store. In that case, processes running under that user can access the key even if they do not have elevated (admin) privileges, putting it at greater risk.