[Pidgin] #16971: Pidgin installer is blocked by Windows Smartscreen because intermediate code-signing cert is SHA-1
Pidgin
trac at pidgin.im
Thu Mar 3 19:11:55 EST 2016
#16971: Pidgin installer is blocked by Windows Smartscreen because intermediate
code-signing cert is SHA-1
-----------------------+-------------------------------------------
Reporter: mlindgren | Owner:
Type: defect | Status: new
Milestone: | Component: pidgin (gtk)
Version: 2.10.12 | Keywords: windows smartscreen installer
-----------------------+-------------------------------------------
Our investigation indicated that there is an issue with the certificate
used to sign your setup application (downloaded from
http://sourceforge.net/projects/pidgin/files/Pidgin/2.10.12/pidgin-2.10.12.exe/),
which results in it being identified as corrupt or invalid when your file
is downloaded. While it is possible to download the file anyway,
SmartScreen will not recognize the validity of your certificate, and
delivers the message that your application is unrecognized on install.
The issue appears to be that not all the certificates in the Certification
Path are using the SHA-256 hashing algorithm, but deprecated SHA-1 hashing
algorithm.
This is shown below.
You may want to contact the CA that provided your certificate to correct
the issues with the certificate. Your CA should be aware that the SHA-1
hashing algorithm for signing certificates was deprecated at the start of
this year. Certificates that use SHA-1 and are timestamped after January
1, 2016 are not recognized by SmartScreen. This applies to all levels of
the certificate chain. Once all certificates are in compliance, they can
gain reputation in our system.
While the certificates gain reputation, some warns may be seen. However,
using the same details for the new certificates as the previous
established certificates (name, email address, etc.) can help the process.
Another option is to obtain an EV Authenticode certificate. An application
signed with an EV Authenticode certificate can immediately establish
reputation with SmartScreen reputation services even if no prior
reputation exists for that file or Authenticode certificate. EV code
signing certificates are now being issued by Symantec, DigiCert, and
GlobalSign.
Here are some links with information about the certificate signing change.
The first link offers some helpful information under the heading “Code
Signing Guidance”.
• http://social.technet.microsoft.com/wiki/contents/articles/32288
.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx
• https://technet.microsoft.com/library/security/3123479
• https://support.microsoft.com/en-us/kb/3123479
We hope that this information has been helpful.
--
Ticket URL: <https://developer.pidgin.im/ticket/16971>
Pidgin <https://pidgin.im>
Pidgin
More information about the Tracker
mailing list