11

We have signed our product installation using SignTool.exe and GoDaddy certificate, and our signature appears valid in windows and using "verify" option of SignTool. However, when the file is downloaded in Internet Explorer 9, it reports that "The signature of is corrupt or invalid".

We obviously don't want our users to have problems with installation of our setup, so I need help in fixing it. Strange that there is basically no help on this issue online.

Dejan Maksimovic
  • 507
  • 1
  • 5
  • 23
  • 1
    Been distributing installers signed with a GoDaddy cert for 1 year without a problem until yesterday. 3 different customers called with this problem. IE gave this error but Windows thought it was OK. We couldn't reproduce the problem and other customers throughout the day didn't have any trouble. I suspect some sort of server outage or error on Microsoft or GoDaddy's part but haven't found any info yet. Please share anything you find and I will do the same. – tgr42 Sep 19 '13 at 15:05
  • Thanks for sharing your experience. However, I have just tried it again and still got the same problem. Hope we will find out something about it soon. I will let you know if I learn anything new. – Dejan Maksimovic Sep 19 '13 at 15:46
  • I am having the same issue again, but now with KB3124605. Anyone else? – Rik Jan 21 '16 at 14:40
  • @Rik, see my answer below. – user3114639 Feb 01 '16 at 10:02

4 Answers4

14

Microsoft released a security update on January 12th 2016. This update has changed the way Windows enforces authenticode code signing and timestamping.

If your code signing certificate has a SHA1 signature, anything signed with such a certificate after the end of 2015 was being flagged as an invalid signature. So you will need to have your certificate re-issued to meet the new requirements.

Take a look at this article: Renew your Windows code signing certificates by December 31, 2015.

user3114639
  • 1,895
  • 16
  • 42
  • I posted an answer on [how to use `Signtool` to sign your file(s)](http://stackoverflow.com/questions/34927266/windows-thinks-signed-installer-is-malware-after-security-update-kb3124605) – Rik Feb 01 '16 at 16:04
  • Good find. In my case the problem is occurring in the Microsoft Edge browser, not IE9 as was the case for the OP. In other words, I think I'm having the same problem as the OP, but for a *different* reason (Microsoft dropping support of SHA1), hence the fact this answer is correct for my problem but may not be correct for the OP's specific problem. – I say Reinstate Monica Feb 04 '16 at 22:34
6

I've discovered through trial and error that this is caused by a Windows update that breaks IE:

Cumulative Security Update for Internet Explorer (2870699) - published Sept. 10, 2013

http://support.microsoft.com/kb/2870699

http://technet.microsoft.com/en-us/security/bulletin/ms13-069

I installed all of the latest updates and was able to reproduce the problem. I then uninstalled this single update and it fixed the problem. I then reinstalled the update and it was broken again.

This is bad!

tgr42
  • 790
  • 8
  • 11
6

The bug is known by Microsoft:

http://connect.microsoft.com/IE/feedback/details/800433/kb2870699-breaks-ie-msi-signature-validation

Valentin
  • 61
  • 1
  • The workaround from GoDaddy described there (timestamping with SHA256 instead of SHA1) worked for me. – rsanchez Nov 26 '13 at 23:10
0

Old news, but if you find yourself here today, we just published a set of steps which can help solve this problem (not as a developer, but as a user trying to run an installer). The details are in our blog but in short, your main options are:

  • Use a different web browser to download the file
  • Choose a different download location
  • Tell Windows SmartScreen to ignore this warning
Pablo D.
  • 620
  • 6
  • 15