Windows thinks signed installer is malware after security update (KB3124605)

Question

2 Years ago @Dejan Maksimovic asked a question about Internet Explorer shows valid certificate as “corrupt or invalid signature”. To date I am experiencing a comparable iss

Answer 1

SHA2 signatures are not recognized by OSes older than Windows 7, so if you target those too and want your signature to be visible there you need to perform dual signing.

Microsoft explaining the steps for dual signing, with more details.

Answer 2

After finally recieving a new code sign certificate, I could sign my installer with a SHA256 signature.

I had to add /fd sha256 to signtool however

SignTool.exe sign \
  /f "$CERTIFICATE" \
  /p $PFX_PASSWORD \
  /fd sha256 \
  /t http://timestamp.verisign.com/scripts/timestamp.dll" \
  /d "Name" \
  /du "http://my.website.com/" \
  "<My installer>"

Unfornunately I am still experiencing the Smartscreen warnings (but apperantly this is a windows 8+ feature). Good news is that the publisher is not unknown anymore.

Still trying the windows application verifier for windows 8, 8.1 and server 2012 (windows 10 here) from this post

EDIT: (See comment by @Bogdan)

For dual signing perform the follwing steps (will not work for msi, only for exe)

SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /t http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /v "<My installer>.exe"
SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /fd sha256 /tr http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /as /v "<My installer>.exe"