安全更新后，Windows 认为签名安装程序是恶意软件 (KB3124605) [英] Windows thinks signed installer is malware after security update (KB3124605)

问题描述

2 年前@Dejan Maksimovic 问了一个关于

我不得不将 /fd sha256 添加到 signtool 但是

SignTool.exe 签名\/f "$证书" \/p $PFX_PASSWORD \/fd sha256 \/t http://timestamp.verisign.com/scripts/timestamp.dll"\/d "姓名" \/du "http://my.website.com/" \<我的安装程序>"

不幸的是，我仍然遇到 Smartscreen 警告(但显然这是一个 windows 8+ 功能).好消息是出版商不再为人所知.

仍在尝试用于 Windows 8 的 windows 应用程序验证程序、8.1 和 server 2012(windows 10 此处)来自 这篇文章

(见@Bogdan 的评论)

对于双重签名，请执行以下步骤(不适用于 msi，仅适用于 exe)

SignTool.exe sign/f "$CERTIFICATE"/p $PFX_PASSWORD/t http://timestamp.verisign.com/scripts/timestamp.dll"/d "Name"/du "http://my.website.com/"/v "<我的安装程序>.exe"SignTool.exe 签名/f "$CERTIFICATE"/p $PFX_PASSWORD/fd sha256/tr http://timestamp.verisign.com/scripts/timestamp.dll"/d "Name"/du "http://my.website.com/"/as/v "<我的安装程序>.exe"

2 Years ago @Dejan Maksimovic asked a question about Internet Explorer shows valid certificate as "corrupt or invalid signature". To date I am experiencing a comparable issue with an installer that needs elevated rights.

The problem seems to be of the same origin but then for KB3124605.

Installer is signed using signtool and certificate is valid until August 2016.

When I installed a cumulative update containing this patch Windows SmartScreen tells me that the publisher is unknown, but when I uninstall the Security update, Windows seems to be able to distinguish the publisher (the one that is actually mentioned in the certificate info.

The update was released January 12th. Anyone with the same problem?

Running SignTool verify /pa <My Installer.exe> returns Successfully verified: <My Installer.exe>

解决方案

After finally recieving a new code sign certificate, I could sign my installer with a SHA256 signature.

I had to add /fd sha256 to signtool however

SignTool.exe sign \
  /f "$CERTIFICATE" \
  /p $PFX_PASSWORD \
  /fd sha256 \
  /t http://timestamp.verisign.com/scripts/timestamp.dll" \
  /d "Name" \
  /du "http://my.website.com/" \
  "<My installer>"

Unfornunately I am still experiencing the Smartscreen warnings (but apperantly this is a windows 8+ feature). Good news is that the publisher is not unknown anymore.

Still trying the windows application verifier for windows 8, 8.1 and server 2012 (windows 10 here) from this post

EDIT: (See comment by @Bogdan)

For dual signing perform the follwing steps (will not work for msi, only for exe)

SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /t http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /v "<My installer>.exe"
SignTool.exe sign /f "$CERTIFICATE" /p $PFX_PASSWORD /fd sha256 /tr http://timestamp.verisign.com/scripts/timestamp.dll" /d "Name" /du "http://my.website.com/" /as /v "<My installer>.exe"

这篇关于安全更新后，Windows 认为签名安装程序是恶意软件 (KB3124605)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！