MSI file signature verification fails on Windows 10 (20H2 19042.1052) and (1909 18363.1198)

Question

MSI file signature verification fails on Windows 10 (20H2 19042.1052) and (1909 18363.1198)

MsdnUsrSince1994 16

We have recently observed that Windows 10 (20H2 19042.1052) and (1909 18363.1198) no longer accepts signed MSI files that are accepted by Windows 10 (1803 and older), and by Windows 8.1:

Specifically, the newer Windows 10 builds return error 0x80096010 (TRUST_E_BAD_DIGEST) for MSI files that validate fully on the older builds. This is the error code from WinVerifyTrustEx, the general user interface just says the signature is bad.

The signatures tested are SHA384 signatures with recent EV Code signing certificates.

Question is: What additional criteria for MSI digital signatures does Windows 10 (1909) check that were
not checked by those older versions.

Our goal is to fine tune our signature generation process to still pass validation on all Windows versions.

Reza-Ameri 17,341 Reputation points Volunteer Moderator

2021-06-25T14:44:22.477+00:00

Did you get the installation from the official Microsoft website?
Did you used any download manager?
MsdnUsrSince1994 16 Reputation points

2021-06-25T20:42:01.037+00:00

Nonsense!

This is not about installers downloaded from Microsoft.

This is about installers that we create and sign ourselves with our own certificates from a trusted public CA.

But some unannounced change in Windows 10 (1903) has caused it to no longer accept the signatures we put on our installers, as described in the question.

2 answers

Your answer

Reza-Ameri 17,341 Reputation points Volunteer Moderator

2021-06-25T14:44:22.477+00:00

Did you get the installation from the official Microsoft website?
Did you used any download manager?
MsdnUsrSince1994 16 Reputation points

2021-06-25T20:42:01.037+00:00

Nonsense!

This is not about installers downloaded from Microsoft.

This is about installers that we create and sign ourselves with our own certificates from a trusted public CA.

But some unannounced change in Windows 10 (1903) has caused it to no longer accept the signatures we put on our installers, as described in the question.

Answer 1

MsdnUsrSince1994 16

"Upgrading to the latest version" (of Windows) has the opposite effect of actually CAUSING THE PROBLEM. Upgrading the program being installed requires the developer (US) to know what to change.

This forum was accessed directly from the MSDN (MS Developer Network) site, so obviously someone not able to answer development questions has no business being a "community expert" here.

The MSDN main page has no other links to support contact points, and instead threw us into the hands of this forum of inept answers.

Jenny Feng 14,246 Reputation points

2021-06-29T02:54:34.227+00:00

This windows-10-security tag does not deal with development issues.
It looks like the query is more related to the development feature part, which this tag doesn’t focus on.
To help you better, I suggest you submit a new case on the following tag as they will be more professional on your issue:
https://learn.microsoft.com/en-us/answers/topics/windows-api-general.html

Thank you for your understanding.

Answer 2

@MsdnUsrSince1994
Hi,
According to my research, there is no relevant additional criteria information provided.
Usually, upgrade from older versions to the latest will fix the MSI issue.
Your situation seems a bit complicated.
To be honest, for your demand, open a support ticket with Microsoft should be a more effective way than ask in Q&A.
https://support.microsoft.com/en-gb/hub/4343728/support-for-business

Hope above information can help you.

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

Share via

MSI file signature verification fails on Windows 10 (20H2 19042.1052) and (1909 18363.1198)

2 answers

Your answer