Windows thinks signed installer is malware after security update (KB3124605)

Question

2 Years ago @Dejan Maksimovic asked a question about Internet Explorer shows valid certificate as “corrupt or invalid signature”. To date I am experiencing a comparable iss

Answer 1

After finally recieving a new code sign certificate, I could sign my installer with a SHA256 signature.

I had to add /fd sha256 to signtool however

SignTool.exe sign \
  /f "$CERTIFICATE" \
  /p $PFX_PASSWORD \
  /fd sha256 \
  /t http://timestamp.verisign.com/scripts/timestamp.dll" \
  /d "Name" \
  /du "http://my.website.com/" \
  ""

Unfornunately I am still experiencing the Smartscreen warnings (but apperantly this is a windows 8+ feature). Good news is that the publisher is not unknown anymore.

Still trying the windows application verifier for windows 8, 8.1 and server 2012 (windows 10 here) from this post

EDIT: (See comment by @Bogdan)

For dual signing perform the follwing steps (will not work for msi, only for exe)

SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /t http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /v ".exe"
SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /fd sha256 /tr http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /as /v ".exe"