Software-Setup´s – Meldung “ungültige Signatur oder beschädigte Kabinettdatei” – Code Signatur Zertifikate – SHA-1 und SHA-256

Seit dem 1.1.2016 kommt es immer wieder dazu dass wir die Meldung bekommen dass unsere Software-Setup´s sich auf bestimmten Systemen nicht installieren lassen. Es kommt dabei beim Ausführen des Setup´s zu einer Fehlermeldung “ungültige Signatur oder beschädigte Kabinettdatei”.

Fehlermeldung signatur

Es liegt daran dass ab 1.1.2016 für das Signieren von Software keine SHA-1 sondern nur mehr SHA-256 Zertifikate verwendet werden dürfen. Aber nicht jede alte Betriebssystem Version unterstützt SHA-256 Zertifikate.

OS support for SHA-1 and SHA-256

Info aus dem Microsoft PKI Blog:

“Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.

This restriction will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or the certificate’s signature hash (thumbprint) until January 1, 2017. After this time, Windows will treat any code with a SHA-1 time-stamp or SHA-1 signature hash (thumbprint) as if the code did not have a time-stamp signature.”

What does that mean?
Any files signed with an SHA-1 certificate need to have a timestamp showing a date and time prior to Jan 1, 2016 for continued support. Those files will still be allowed through the ‘Mark-of-the-web” system until Jan 14, 2020, when all SHA-1 support will stop in all current versions of Windows. All new signatures created or timestamped after Jan 1, 2016 must be SHA-256 based signatures or they will cause a “digital signature is corrupted or invalid” error when downloading.

What versions of Windows support SHA-256 signatures?
SHA-256 signatures are not supported in Windows XP SP2 or earlier. SHA-256 is only supported in User Mode for Windows XP SP 2, Vista and Windows Server 2008R1 — SHA-256 certificates are not supported for drivers on any version prior to Windows 7.

Microsoft is announcing the availability of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update as SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.

Lösungsmöglichkeit:
Bitte kontaktieren sie uns diesbezüglich, wir stellen ihnen dann ein Setup ohne Code-Signatur zur Verfügung. Damit kann die Software auch auf “alten” Betriebssystemen die keine SHA-256 Verschlüsselung unterstützen, installiert werden.