Menu
I have my binary signed with valid SHA-2 certificates (both Authenticode and timestamp), but SmartScreen on Windows 10 still blocks it and Edge reports that "The signature of this file is corrupt or invalid".
I've checked other binaries from popular sources, like Firefox. They still sign with SHA1 timestamp certificate, but Windows doesn't report any problems. Can someone advice what's happening?
Link to my binary: https://dl.dropboxusercontent.com/u/21463705/Stackoverflow/Win32Project1.exe
My certificate screenshot
269
asked Mar 05 '26 09:03
Our installers were suffering from the same issue. Even when I only SHA-2-signed using an SHA-2 certificate, Edge still reported the signature to be invalid.
We were using the same code signing authority, "VeriSign Class 3 Code Signing 2010 CA", which itself is signed using an SHA-1 signature:
This seems to be the cause of SmartScreen's "The signature of this file is corrupt or invalid" error message.
I contacted Symantec (they run VeriSign now) and they issued a replacement certificate for us. Unlike the previous one, the one is signed by "Symantec Class 3 SHA256 Code Signing CA" and executables signed with in no longer trigger the "signature corrupt or invalid" error in SmartScreen.
I still get a warning because our installers don't have enough reputation yet, but that's a completely different issue.
Update: Symantec is now discontinuing the use of SHA-1 Intermediate CA Certificates used for signing SHA-256 Code Signing certificates.
60
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
