Question
We have signed our product installation using SignTool.exe and GoDaddy certificate, and our signature appears valid in windows and using "verify" option of SignTool. However, when the file is downloaded in Internet Explorer 9, it reports that "The signature of is corrupt or invalid".
We obviously don't want our users to have problems with installation of our setup, so I need help in fixing it. Strange that there is basically no help on this issue online.
Solution 2
I've discovered through trial and error that this is caused by a Windows update that breaks IE:
Cumulative Security Update for Internet Explorer (2870699) - published Sept. 10, 2013
http://support.microsoft.com/kb/2870699
http://technet.microsoft.com/en-us/security/bulletin/ms13-069
I installed all of the latest updates and was able to reproduce the problem. I then uninstalled this single update and it fixed the problem. I then reinstalled the update and it was broken again.
This is bad!
OTHER TIPS
Microsoft released a security update on January 12th 2016. This update has changed the way Windows enforces authenticode code signing and timestamping.
If your code signing certificate has a SHA1 signature, anything signed with such a certificate after the end of 2015 was being flagged as an invalid signature. So you will need to have your certificate re-issued to meet the new requirements.
Take a look at this article: Renew your Windows code signing certificates by December 31, 2015.
The bug is known by Microsoft:
http://connect.microsoft.com/IE/feedback/details/800433/kb2870699-breaks-ie-msi-signature-validation
Old news, but if you find yourself here today, we just published a set of steps which can help solve this problem (not as a developer, but as a user trying to run an installer). The details are in our blog but in short, your main options are:
https://stackoverflow.com/questions/18891398
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian