0

I am using VS 2015 CE and the "Microsoft Visual Studio 2015 Installer Projects" on Windows 7 SP1. When I build my MSI file, the build process automatically adds a Code Signing Certificate to the resulting MSI file. Up until today, that certificate was valid, and when you would download that MSI off a web server, there was no warning. Today, IE began displaying a warning message, "The signature of this program is corrupt or invalid." When I look at the Cert. in the properties of the MSI file, it says, "This digital signature is not valid." Even files I uploaded last week and which worked fine are now displaying the message.

I have been researching this all day, and still have some holes in my understanding of the process. For example:

1) Where is the VS Installer getting the code signing certificate to apply to the MSI? I assume it would be in my Certificate Store, but can't find it. I never generated one, as far as I know, unless it was done as part of installation? I am not doing any SignTool calls, and I can't see anything in the vdproj file that talks about certificates (there is a tag that says "SignOutput" = "11:FALSE"). This process is happening, and has been happening automatically since I began using the installer.

2) How can I get VS Installer to apply a cert that works? I found a lot of varying reasons why it would fail, like because it was SHA1, but I looked at a recent MSI download from MS, and it is also uses SHA1, and it has no error. I would prefer to continue using a cert that is applied automatically, as opposed to buying one and applying it with signtool.

user1689571
  • 495
  • 1
  • 4
  • 17
  • I just now stumbled across this same problem already posted. Not sure how SO didn't point to it when i was posting: http://stackoverflow.com/questions/35391691/vs2015-installer-projects-adds-invalid-microsoft-signature-to-msis Looks like I am out of luck – user1689571 May 05 '17 at 19:49

2 Answers2

0

There was an update on 3/15/17 that Microsoft put out for their Visual Studio 2015 Installer Projects extension which solves this.

Curiously, the update didn't show up in Extensions and Updates under the Tools tab, but searching for "Installer Projects" under the online section on the left allowed me to download and install the latest version. It's at this link: https://marketplace.visualstudio.com/items?itemName=VisualStudioProductTeam.MicrosoftVisualStudio2015InstallerProjects

Also, the version of Visual Studio Installer Projects under the Installed section still shows version 1.0.0.2 even though the updated download link is 2.1. No clue what's going on there, but the important part is that the invalid certificate no longer appears when creating an MSI from an Installer Project, and the warnings in browsers when downloading are gone.

rms8
  • 1
  • I've installed the latest version ( 2.1 for VS2015 which still shows as 1.0.0.2 in Extensions section) and the second issue still persists: Edge complains that setup "is not commonly download and could harm your device" and Smart Screen "prevented an unrecognized app from starting. Running this app might put your PC at risk." The behavior persists in VS2017 with its corresponding extension for setup project. – Daniel Bogdan Oct 05 '17 at 18:49
0

I had similar problem. My setup project after download by IE or Edge says 'the signature of this program is corrupt or invalid'. I have downloaded latest installer project for my VS2015 (version 2.1) and problem is partly resolved. I don't have this messgae anymore. But is another warning message like 'file is not commonly downloaded and could harm your device'. But generally it's less cumbersome because user can just select 'download any way' and 'run'.

Wojtek P
  • 3
  • 4