Windows thinks signed installer is malware after security update (KB3124605)

Question

2 Years ago @Dejan Maksimovic asked a question about Internet Explorer shows valid certificate as “corrupt or invalid signature”. To date I am experiencing a comparable issue with an installer that needs elevated rights.

The problem seems to be of the same origin but then for KB3124605.

Installer is signed using signtool and certificate is valid until August 2016.

When I installed a cumulative update containing this patch Windows SmartScreen tells me that the publisher is unknown, but when I uninstall the Security update, Windows seems to be able to distinguish the publisher (the one that is actually mentioned in the certificate info.

The update was released January 12th. Anyone with the same problem?

Running SignTool verify /pa <My Installer.exe> returns Successfully verified: <My Installer.exe>

Answer 1

SHA2 signatures are not recognized by OSes older than Windows 7, so if you target those too and want your signature to be visible there you need to perform dual signing.

Microsoft explaining the steps for dual signing, with more details.

Answer 2

After finally recieving a new code sign certificate, I could sign my installer with a SHA256 signature.

I had to add /fd sha256 to signtool however

SignTool.exe sign \
  /f "$CERTIFICATE" \
  /p $PFX_PASSWORD \
  /fd sha256 \
  /t http://timestamp.verisign.com/scripts/timestamp.dll" \
  /d "Name" \
  /du "http://my.website.com/" \
  "<My installer>"

Unfornunately I am still experiencing the Smartscreen warnings (but apperantly this is a windows 8+ feature). Good news is that the publisher is not unknown anymore.

Still trying the windows application verifier for windows 8, 8.1 and server 2012 (windows 10 here) from this post

EDIT: (See comment by @Bogdan)

For dual signing perform the follwing steps (will not work for msi, only for exe)

SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /t http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /v "<My installer>.exe"
SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /fd sha256 /tr http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /as /v "<My installer>.exe"