CDE Software signs our programs and installers so that end users are assured that they get a legitimate release that hasn't been tampered with. We've done this for years. With our last code-signing certificate renewal, we opted to obtain an SHA-2 certificate for better security. As with browsers, code signing certificates are switching from SHA1 to SHA2 this year, due to the likelihood of the SHA-1 algorithm being brute forced by more powerful computers and techniques. Microsoft won't even honor EXEs signed with an SHA1 certificate signed after 12/31/2015 as per their SHA1 deprecation policy, so making the switch sooner rather than later is a good idea.
When utilizing the new certificate, we set our signer to produce SHA-2/SHA256 digests to match the certificate. Microsoft doesn't really give any guidance on whether to do this and whether or not SHA1 digests are also being retired on 1/1/2016. It turns our that this was unnecessary and that SHA1 can continue to be used. We later found out that SHA2 can cause issues for some older Windows installs.
Broken Windows XP and Vista Code Signature Components Windows XP SP3 users that download an EXE signed with an SHA-2/SHA256 digest will see the EXE as unsigned. You can, however, be able to run it just as if it were an unsigned EXE.
Windows Vista SP2 users that download an EXE signed with an SHA-2SHA256 digest will see the EXE as unsigned but be able to run it as if it were unsigned, just like on Windows XP.
There appears to be a larger bug that Microsoft seems unaware of. If you download in IE9 on Windows Vista, IE will show the download as "This program was reported as unsafe" in red letters and not give the option to run it directly. You can, however, right-click the file and run it anyway or browse to its folder.
This particular behavior would occur for occasional users that download via IE on Vista. Windows Vista users still running the insecure and unsupported SP1 build of Vista or who have not yet applied KB2763674
will have the file silently fail when running it. Vista SP1 was retired in 2011. The patch was released over 2 years ago and was automatically pushed out over Windows Update. The vast majority of Vista users should have no issues, but there may be some holdouts. All Vista users are urged to immediately install SP2 as well as all later patches via Windows Update to ensure their machine is not vulnerable to compromise as well as to ensure they will be able to run software using all signing methods from all publishers.
If you have Vista or Server 2008, please visit and install the appropriate update:
Internet Explorer SmartScreen Filter, which is what is causing the issue, can be disabled by:
- Go to Control Panel > Internet Options
- Select Advanced Tab
- Scroll to Security Section
- Uncheck to disable SmartScreen Filter.
- Click OK and Apply to save settings.
(To re-enable SmartScreen, follow the steps and check the SmartScreen Filter).