Misleading warnings for downloads of SHA1-signed files by Internet Explorer and Microsoft Edge-Browser

Since January 1st, 2016 Microsoft has introduced changes (via Windows Update) in the handling of signed executables. As one consequence of these changes downloads of older files with Internet Explorer and Microsoft Edge could produce misleading warnings.

For files that were signed with the SHA1 algorithm but with no timestamp or a timestamp dated January 1st, 2016 or later the following warning might be shown (in this case for the old gpg4o-version 3.4.1):


Browser warning

The message in this case is very misleading because it warns about a supposedly corrupt or invalid signature. Actually the signature of the file is only missing a timestamp but since the changes by Microsoft with Windows Update in early 2016, files like this one are handled differently than they were before.

Smartscreen warnings

When the “Smartscreen” protection is active in Windows 8, 8.1 and 10 after a click on “Execute”the following warning messages will be shown:


Warning by Windows Smartscreen


Windows Scmartscreen message after click on “More information”

Technical Details

Details with regards to the changes in the handling of Authenticode signatures and timestamps were published by Microsoft at the following address:

Windows Enforcement of Authenticode Code Signing and Timestamping

Manual signature verification

There is an easy way to check if a file has no valid signature or just an obsoleted one. After downloading a file you can navigate to the folder the file was saved to (by default this will be in the “Downloads” folder shown in Explorer, also reachable by clicking on “Open folder” in the downloads popup).

In the Explorer file listing you can open the context menu by right-clicking the downloaded file:


Righ-clickt on downloaded file

Clicking on “Details” will display the following window:


File details

Under the tab “Digital Signatures” the signature of the file and the corresponding certificate will be displayed. In the case of the old gpg4o-version 3.4.1 the following details are visible:


Digital Signatures tab

After clicking on “Details” more information about the digital signature will be shown. Please check the sentence “The digital signature is OK” really is displayed.


Digital Signature Details

By clicking on “View certificate” you can view more details about the certificate the file was signed with.


Certificate information

Under details, in the lower scroll area, the thumbprint of files signed with the former Giegerich & Partner certificate will show the following values:

99 e0 20 5e c5 73 0f bc a8 c7 e3 58 a4 82 c3 8c d0 bc 03 8f


Thumbprint values of former certificate

From now on: SHA256-Certificate and Signatures with SHA256-Algorithm

Files published by Giegerich & Partner will from now on use a new SHA256-Certifcate with the thumbprint containing the following values:

1d 72 3a 5e c1 34 03 3a 6d c0 f9 0b dc 24 8b 9e 8b 3d 98 af


Thumbprint values of new certificate

For new files that were signed and timestamped with the SHA256-algorithm of course no more misleading warnings will be shown by the browser or Smartscreen.



Your Comment

* The marked fields are required.

Comment *

Ich willige ein, dass die oben stehenden Daten zum genannten Zweck verarbeitet werden und habe das Recht, Ihre datenschutzrechtliche Einwilligungserklärung jederzeit zu widerrufen. Durch den Widerruf der Einwilligung wird die Rechtmäßigkeit der aufgrund der Einwilligung bis zum Widerruf erfolgten Verarbeitung nicht berührt. Ich habe dazu die Privacy policy zur Kenntnis genommen.