I have my binary signed with valid SHA-2 certificates (both Authenticode and timestamp), but SmartScreen on Windows 10 still blocks it and Edge reports that "The signature of this file is corrupt or invalid".
I've checked other binaries from popular sources, like Firefox. They still sign with SHA1 timestamp certificate, but Windows doesn't report any problems. Can someone advice what's happening?
Link to my binary: https://dl.dropboxusercontent.com/u/21463705/Stackoverflow/Win32Project1.exe
Our installers were suffering from the same issue. Even when I only SHA-2-signed using an SHA-2 certificate, Edge still reported the signature to be invalid.
We were using the same code signing authority, "VeriSign Class 3 Code Signing 2010 CA", which itself is signed using an SHA-1 signature:
This seems to be the cause of SmartScreen's "The signature of this file is corrupt or invalid" error message.
I contacted Symantec (they run VeriSign now) and they issued a replacement certificate for us. Unlike the previous one, the one is signed by "Symantec Class 3 SHA256 Code Signing CA" and executables signed with in no longer trigger the "signature corrupt or invalid" error in SmartScreen.
I still get a warning because our installers don't have enough reputation yet, but that's a completely different issue.
Update: Symantec is now discontinuing the use of SHA-1 Intermediate CA Certificates used for signing SHA-256 Code Signing certificates.
I am having much the same problem and haven't yet puzzled out the solution. I think the reason that other binaries signed with SHA1 work is because they were signed before 1st January 2016. The Critical Service Announcement we received states that:
Files signed previously with a SHA-1 certificate will continue to work on Windows 7 and above for an additional year as long as they were time-stamped before January 1, 2016.
and further that,
Starting on Jan. 1, 2017, all SHA-1 signed files will be blocked on Windows 7 and above, regardless of when they were time-stamped.
