1

This Microsoft tool adds an INVALID Microsoft digital signature when you build an MSI.

Anyone know of a simple way to stop the tool from adding the digital signature? Or an easy way to remove digital signature after the build?

VS2015 Installer Projects link https://visualstudiogallery.msdn.microsoft.com/f1cc3f3e-c300-40a7-8797-c509fb8933b9

The MSI file works fine even with the bad signature. BUT, when someone tries to download the MSI with the Edge browser, it blocks the download and shows this download error message. "The signature for this file is corrupt or invalid" . With a big scary RED Error shield icon.

If you want to scare away potential users from your product or tool, this is the perfect way to do it.

Rant: Microsoft took a big bow when it made this tool available again after dropping it in 2012. Telling developers "See we do listen to you and we brought back this popular tool." Well, wouldn't you think Microsoft could assign a low level developer to maintain it and fix simple things like this. Seems to be just another toy with a broken wheel that MS tossed into the sandbox and left it there to fall apart. C'mon Microsoft, spend 10 minutes and fix this.

LT Dan
  • 241
  • 4
  • 16

2 Answers2

2

The problem appears to be that older SHA1 certificates are no longer valid after the end of 2015 and security changes that enforce it, as in this thread and the Jan 12th security update comment:

Internet Explorer shows valid certificate as "corrupt or invalid signature"

I haven't personally tried this idea here, but it looks fairly easy code to test on an MSI file to delete the certificate:

http://www.fluxbytes.com/csharp/remove-digital-signature-from-a-file-using-c/

Community
  • 1
  • 1
PhilDW
  • 20,260
  • 1
  • 18
  • 28
  • PhilDW, thanks. The info about SHA1 being deprecated in Jan 2016 is very good to know. This is indeed a SHA1 certificate. I tried the Fluxbytes tool (there is a precompiled download at the page you linked). But it did not seem to remove the certificate even tho the tool reports that it did the removal. When I check the file properties in Windows it still shows a Digital Signatures tab with the certificate. But thanks , that was worth a try. – LT Dan Feb 14 '16 at 21:11
  • I just had a customer call me asking about this last night. He's on InstallShield 2012 and now has to choose between updating to InstallShield 2015 or just not code signing anymore. – Christopher Painter Feb 15 '16 at 18:39
  • I've tried C++ and C# ImageRemoceCertificate calls and the underlying issue is getting error 87, invalid parameter - if I succeed I'll post here. – PhilDW Feb 15 '16 at 20:41
  • 1
    So annoying - I can call ImageEnumerateCertificates() on an exe but not on a MSI file. – PhilDW Feb 15 '16 at 23:43
1

To fix this you can also try to dual sign the package, instead of completing removing the digital signature. This way the warning message about the invalid signature will disappear on download and also the correct info will appear in the UAC prompts on install.

Dual signing of course requires a SHA2 certificate.

SHA 2 signatures are not recognized by OSes older than Windows 7, so if you target those too and want your signature to be visible there you need to perform dual signing.

Microsoft explaining the steps for dual signing, with more details.

Bogdan Mitrache
  • 10,536
  • 19
  • 34
  • Good info, but I don't think dual signing addresses the question. The question seemed to be about a .msi file and Microsoft's article mentions that dual signing doesn't work for .msi files. – Michael Urman Feb 15 '16 at 13:25
  • Indeed, MSIs do not support dual sign, but the files inside do. The article also mentions how to handle signing for MSIs: http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#How_to_handle_MSI_files – Bogdan Mitrache Feb 15 '16 at 14:33
  • Bogdan, Thanks for those links. I read the material and it looks a lot more complicated that I want to deal with. For now, I just might wait a while to see if Microsoft fixes their broken tool. I know, I'm probably a fool to think they will. This is starting to look like something on the scale of the Y2K mess (Year 2000 bug). – LT Dan Feb 15 '16 at 18:32
  • Bogdan, One of your links says, "Windows will no longer trust files with a SHA-1 signature (file hash or timestamp) after 1/1/2017." Does that mean that Windows will refuse to run a SHA-1 signed MSI at all -- even if the user wants to proceed? – LT Dan Feb 15 '16 at 18:36
  • @ LT Dan No, it will just raise a warning message for files downloaded from Internet (as in the sample screenshots from the article) and will also say "Publisher Unknown" in the UAC and SmartScreen, but the user can run it. Also, this will apply to only Win 7 and newer OSes. – Bogdan Mitrache Feb 16 '16 at 05:31