Internet Explorer shows valid certificate as “corrupt or invalid signature”

Question

We have signed our product installation using SignTool.exe and GoDaddy certificate, and our signature appears valid in windows and using \"verify\" option of SignTool. Howev

Answer 1

I've discovered through trial and error that this is caused by a Windows update that breaks IE:

Cumulative Security Update for Internet Explorer (2870699) - published Sept. 10, 2013

http://support.microsoft.com/kb/2870699

http://technet.microsoft.com/en-us/security/bulletin/ms13-069

I installed all of the latest updates and was able to reproduce the problem. I then uninstalled this single update and it fixed the problem. I then reinstalled the update and it was broken again.

This is bad!

Answer 2

The bug is known by Microsoft:

http://connect.microsoft.com/IE/feedback/details/800433/kb2870699-breaks-ie-msi-signature-validation

Answer 3

Microsoft released a security update on January 12th 2016. This update has changed the way Windows enforces authenticode code signing and timestamping.

If your code signing certificate has a SHA1 signature, anything signed with such a certificate after the end of 2015 was being flagged as an invalid signature. So you will need to have your certificate re-issued to meet the new requirements.

Take a look at this article: Renew your Windows code signing certificates by December 31, 2015.