Since January 1st, 2016 Microsoft has introduced changes (via Windows Update) in the handling of signed executables. As one consequence of these changes downloads of older files with Internet Explorer and Microsoft Edge could produce misleading warnings.
For files that were signed with the SHA1 algorithm but with no timestamp or a timestamp dated January 1st, 2016 or later the following warning might be shown (in this case for the old gpg4o-version 3.4.1):
Browser warning
The message in this case is very misleading because it warns about a supposedly corrupt or invalid signature. Actually the signature of the file is only missing a timestamp but since the changes by Microsoft with Windows Update in early 2016, files like this one are handled differently than they were before.
Smartscreen warnings
When the “Smartscreen” protection is active in Windows 8, 8.1 and 10 after a click on “Execute”the following warning messages will be shown:
Warning by Windows Smartscreen
Windows Scmartscreen message after click on “More information”
Technical Details
Details with regards to the changes in the handling of Authenticode signatures and timestamps were published by Microsoft at the following address:
Windows Enforcement of Authenticode Code Signing and Timestamping
Manual signature verification
There is an easy way to check if a file has no valid signature or just an obsoleted one. After downloading a file you can navigate to the folder the file was saved to (by default this will be in the “Downloads” folder shown in Explorer, also reachable by clicking on “Open folder” in the downloads popup).
In the Explorer file listing you can open the context menu by right-clicking the downloaded file:
Righ-clickt on downloaded file
Clicking on “Details” will display the following window:
File details
Under the tab “Digital Signatures” the signature of the file and the corresponding certificate will be displayed. In the case of the old gpg4o-version 3.4.1 the following details are visible:
Digital Signatures tab
After clicking on “Details” more information about the digital signature will be shown. Please check the sentence “The digital signature is OK” really is displayed.
Digital Signature Details
By clicking on “View certificate” you can view more details about the certificate the file was signed with.
Under details, in the lower scroll area, the thumbprint of files signed with the former Giegerich & Partner certificate will show the following values:
99 e0 20 5e c5 73 0f bc a8 c7 e3 58 a4 82 c3 8c d0 bc 03 8f
From now on: SHA256-Certificate and Signatures with SHA256-Algorithm
Files published by Giegerich & Partner will from now on use a new SHA256-Certifcate with the thumbprint containing the following values:
1d 72 3a 5e c1 34 03 3a 6d c0 f9 0b dc 24 8b 9e 8b 3d 98 af
For new files that were signed and timestamped with the SHA256-algorithm of course no more misleading warnings will be shown by the browser or Smartscreen.
Comments