Windows thinks signed installer is malware after security update (KB3124605)

Question

2 Years ago @Dejan Maksimovic asked a question about Internet Explorer shows valid certificate as “corrupt or invalid signature”. To date I am experiencing a comparable issue with an installer that needs elevated rights.

The problem seems to be of the same origin but then for KB3124605.

Installer is signed using signtool and certificate is valid until August 2016.

When I installed a cumulative update containing this patch Windows SmartScreen tells me that the publisher is unknown, but when I uninstall the Security update, Windows seems to be able to distinguish the publisher (the one that is actually mentioned in the certificate info.

The update was released January 12th. Anyone with the same problem?

Running SignTool verify /pa <My Installer.exe> returns Successfully verified: <My Installer.exe>

Is it an SHA-1 certificate? If so, and if it is timestamped after 1 January 2016, Windows will reject it, see [security advisory 3123479](https://technet.microsoft.com/en-us/library/security/3123479.aspx). (Also, SHA-1 certificates dated before 1 January 2016 might need to be countersigned by a timestamping service, I'm not sure about that.) — Harry Johnston, Jan 21 '16 at 21:08
Thanks for your reply @Harry. Currently I can not check this, but I will tomorrow when I am back at work. — Rik, Jan 21 '16 at 21:16
Certificate was SHA-1. Ordered SHA-2 certificate. Hopefully will fix the problem. — Rik, Jan 22 '16 at 15:31

score 1 · Accepted Answer · edited May 23 '17 at 12:34

After finally recieving a new code sign certificate, I could sign my installer with a SHA256 signature.

I had to add /fd sha256 to signtool however

SignTool.exe sign \
  /f "$CERTIFICATE" \
  /p $PFX_PASSWORD \
  /fd sha256 \
  /t http://timestamp.verisign.com/scripts/timestamp.dll" \
  /d "Name" \
  /du "http://my.website.com/" \
  "<My installer>"

Unfornunately I am still experiencing the Smartscreen warnings (but apperantly this is a windows 8+ feature). Good news is that the publisher is not unknown anymore.

Still trying the windows application verifier for windows 8, 8.1 and server 2012 (windows 10 here) from this post

EDIT: (See comment by @Bogdan)

For dual signing perform the follwing steps (will not work for msi, only for exe)

SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /t http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /v "<My installer>.exe"
SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /fd sha256 /tr http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /as /v "<My installer>.exe"

Thanks @Harry Johnston for your direction – Rik Jan 26 '16 at 13:07 — Rik, Jan 26 '16 at 13:07

score 1 · Answer 2 · answered Feb 15 '16 at 05:29

1

SHA2 signatures are not recognized by OSes older than Windows 7, so if you target those too and want your signature to be visible there you need to perform dual signing.

Microsoft explaining the steps for dual signing, with more details.

answered Feb 15 '16 at 05:29

Bogdan Mitrache

10,536
19
34

Good one! For myself however, this is not important because we do not support – Rik Feb 15 '16 at 07:18

Windows thinks signed installer is malware after security update (KB3124605)

2 Answers2

Linked