Misleading warnings for downloads of SHA1-signed files by Internet Explorer and Microsoft Edge-Browser

Since January 1st, 2016 Microsoft has introduced changes (via Windows Update) in the handling of signed executables. As one consequence of these changes downloads of older files with Internet Explorer and Microsoft Edge could produce misleading warnings.

For files that were signed with the SHA1 algorithm but with no timestamp or a timestamp dated January 1st, 2016 or later the following warning might be shown (in this case for the old gpg4o-version 3.4.1):

01_BrowserMeldung_en

Browser warning

The message in this case is very misleading because it warns about a supposedly corrupt or invalid signature. Actually the signature of the file is only missing a timestamp but since the changes by Microsoft with Windows Update in early 2016, files like this one are handled differently than they were before.

Smartscreen warnings

When the “Smartscreen” protection is active in Windows 8, 8.1 and 10 after a click on “Execute”the following warning messages will be shown:

03_WindowsMeldungWeitereInformation_en

Warning by Windows Smartscreen

04_WindowsMeldung_en

Windows Scmartscreen message after click on “More information”

Technical Details

Details with regards to the changes in the handling of Authenticode signatures and timestamps were published by Microsoft at the following address:

Windows Enforcement of Authenticode Code Signing and Timestamping

Manual signature verification

There is an easy way to check if a file has no valid signature or just an obsoleted one. After downloading a file you can navigate to the folder the file was saved to (by default this will be in the “Downloads” folder shown in Explorer, also reachable by clicking on “Open folder” in the downloads popup).

In the Explorer file listing you can open the context menu by right-clicking the downloaded file:

05_RechtsklickDatei_en

Righ-clickt on downloaded file

Clicking on “Details” will display the following window:

06_EigenschaftenÜbersicht_en

File details

Under the tab “Digital Signatures” the signature of the file and the corresponding certificate will be displayed. In the case of the old gpg4o-version 3.4.1 the following details are visible:

07_SignaturenÜbersicht_en

Digital Signatures tab

After clicking on “Details” more information about the digital signature will be shown. Please check the sentence “The digital signature is OK” really is displayed.

08_SignaturenDetails_en

Digital Signature Details

By clicking on “View certificate” you can view more details about the certificate the file was signed with.

09_Zertifikat_en

Certificate information

Under details, in the lower scroll area, the thumbprint of files signed with the former Giegerich & Partner certificate will show the following values:

99 e0 20 5e c5 73 0f bc a8 c7 e3 58 a4 82 c3 8c d0 bc 03 8f

12_ZertifikatFingerabdruck_en

Thumbprint values of former certificate

From now on: SHA256-Certificate and Signatures with SHA256-Algorithm

Files published by Giegerich & Partner will from now on use a new SHA256-Certifcate with the thumbprint containing the following values:

1d 72 3a 5e c1 34 03 3a 6d c0 f9 0b dc 24 8b 9e 8b 3d 98 af

13_ZertifikatFingerabdruckNeu_en

Thumbprint values of new certificate

For new files that were signed and timestamped with the SHA256-algorithm of course no more misleading warnings will be shown by the browser or Smartscreen.

 

Comments

Your Comment

* The marked fields are required.

Comment *

Ich willige ein, dass die oben stehenden Daten zum genannten Zweck verarbeitet werden und habe das Recht, Ihre datenschutzrechtliche Einwilligungserklärung jederzeit zu widerrufen. Durch den Widerruf der Einwilligung wird die Rechtmäßigkeit der aufgrund der Einwilligung bis zum Widerruf erfolgten Verarbeitung nicht berührt. Ich habe dazu die Privacy policy zur Kenntnis genommen.