#15617 closed defect (wontfix)
Windows Installer invalid signature due to expired certificate
| Reported by: | GermanTribun | Owned by: | lotharsm |
|---|---|---|---|
| Priority: | normal | Component: | Port: Win64 |
| Version: | Keywords: | ||
| Cc: | Game: |
Description
I stumbled over this when trying to install the newest 2.9.0 with the installer. Windows Smartscreen complained that the file is not trustworthy, and turning Smartscreen off, Windows still complained something it thinks is fishy about it.
It installed without problem, but I took a look and Windows notes that the timestamp of the signature does not fit with the certificate, thus why it threw such a stink. The date displayed was December 8th. However, the certificate expired in April, thus why Windows was unhappy.
Since this is seriously annoying, can the installer be offered with a fixed signature and renewed certificate?
Attachments (2)
Change History (9)
comment:1 by , 18 months ago
comment:2 by , 18 months ago
| Owner: | set to |
|---|---|
| Resolution: | → wontfix |
| Status: | new → closed |
comment:3 by , 18 months ago
The expired certificate has now been removed, if SmartScreen doesn't calm down (it takes a couple of days, no matter if it is signed with an expired certificate or no certificate at all), then I'll push the unsigned installer through WinSparkle.
But for now, this shouldn't change the behavior. Sorry about that, but that's how SmartScreen works.
To put things more in perspective: When I started with signing the installers, I was able to get a certificate for around 60 USD. Now, around three years later, prices are at least 220 USD with heavy verification requirements I am not willing to take anymore.
comment:4 by , 18 months ago
Ehm, call me ignorant, but won't Windows continue to complain until the download got replaced with one that is not signed (and therefore doesn't need a certificate)?
comment:5 by , 18 months ago
No, in both cases, SmartScreen detects the application as published by an unknown publisher, no matter if the certificate is invalid or missing.
However, UAC will always trigger, that's expected. SmartScreen is largely based on how well-known an application is - and this happened with 2.8.1 as well when we released it; SmartScreen was complaining about it as well when the download was new.
comment:6 by , 18 months ago
I ask, because that NEVER before happened to me. I installed a lot of stuff over the years and never had Smartscreen complain. The UAC I know about, that was never the issue.
Attached the two screens that pop up. The first when Smartscreen is activated, the second when deactivated. Sorry it's in German, but I think it's still understadable.
by , 18 months ago
| Attachment: | Screen1.png added |
|---|
by , 18 months ago
| Attachment: | Screen2.png added |
|---|
comment:7 by , 18 months ago
Yes, I know exactly what you are talking about.
And for the last time, this is expected behavior and it happens to unsigned applications as well.
Please stop replying to this ticket, it is CLOSED.
That's correct, I let the certificate expire.
They raise prices each and every year and reached ridiculous levels and requirements now.
SmartScreen will calm down in a couple of days as usual. The signed installer won't come back. I'll remove the expired certificate though, so thanks for pointing that out.