[Pidgin] #16971: Pidgin installer is blocked by Windows Smartscreen because intermediate code-signing cert is SHA-1

[Pidgin]

#16971: Pidgin installer is blocked by Windows Smartscreen because intermediate
code-signing cert is SHA-1
-----------------------+-------------------------------------------
 Reporter:  mlindgren  |      Owner:
     Type:  defect     |     Status:  new
Milestone:             |  Component:  pidgin (gtk)
  Version:  2.10.12    |   Keywords:  windows smartscreen installer
-----------------------+-------------------------------------------
 Our investigation indicated that there is an issue with the certificate
 used to sign your setup application (downloaded from
 http://sourceforge.net/projects/pidgin/files/Pidgin/2.10.12/pidgin-2.10.12.exe/),
 which results in it being identified as corrupt or invalid when your file
 is downloaded. While it is possible to download the file anyway,
 SmartScreen will not recognize the validity of your certificate, and
 delivers the message that your application is unrecognized on install.
 The issue appears to be that not all the certificates in the Certification
 Path are using the SHA-256 hashing algorithm, but deprecated SHA-1 hashing
 algorithm.
 This is shown below.


 You may want to contact the CA that provided your certificate to correct
 the issues with the certificate. Your CA should be aware that the SHA-1
 hashing algorithm for signing certificates was deprecated at the start of
 this year. Certificates that use SHA-1 and are timestamped after January
 1, 2016 are not recognized by SmartScreen. This applies to all levels of
 the certificate chain. Once all certificates are in compliance, they can
 gain reputation in our system.

 While the certificates gain reputation, some warns may be seen. However,
 using the same details for the new certificates as the previous
 established certificates (name, email address, etc.) can help the process.

 Another option is to obtain an EV Authenticode certificate. An application
 signed with an EV Authenticode certificate can immediately establish
 reputation with SmartScreen reputation services even if no prior
 reputation exists for that file or Authenticode certificate. EV code
 signing certificates are now being issued by Symantec, DigiCert, and
 GlobalSign.
 Here are some links with information about the certificate signing change.
 The first link offers some helpful information under the heading “Code
 Signing Guidance”.
 •       http://social.technet.microsoft.com/wiki/contents/articles/32288
 .windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx
 •       https://technet.microsoft.com/library/security/3123479
 •       https://support.microsoft.com/en-us/kb/3123479

 We hope that this information has been helpful.

--
Ticket URL: <https://developer.pidgin.im/ticket/16971>
Pidgin <https://pidgin.im>
Pidgin