CAPI2 logs in windows show errors with the certificate chain, can you please look into this? The certificate looks like its valid in the file properties, but behind the scenes something is obviously wrong. This is for sublime text.

When enabling CAPI logging, I see lots of certificate related error messages with all sorts of applications on Windows, even some Microsoft tools. Looks not like somehing specific to Sublime Text.

Also seems to fail a signtool.exe verification.

Well, maybe the reason for CAPI errors, but as well a common error reproducible with most (even all?) signed non-microsoft programs.

I checked Total Commander, various python executables and other

The signature verifies well with signtool verify /pa <exe>, but without /pa I see error about root certificate not being trusted.

/pa Specifies that the Default Authentication Verification Policy is used. If the /pa option isn’t specified, SignTool uses the Windows Driver Verification Policy. This option can’t be used with the catdb options.

see: https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

It would make sense verification fails if “Driver Policy” is applied, as those probably use more restricted CA certs.