Opened 23 months ago

#16971 new defect

Pidgin installer is blocked by Windows Smartscreen because intermediate code-signing cert is SHA-1

Reported by: mlindgren Owned by:
Milestone: Component: pidgin (gtk)
Version: 2.10.12 Keywords: windows smartscreen installer
Cc:

Description

Our investigation indicated that there is an issue with the certificate used to sign your setup application (downloaded from http://sourceforge.net/projects/pidgin/files/Pidgin/2.10.12/pidgin-2.10.12.exe/), which results in it being identified as corrupt or invalid when your file is downloaded. While it is possible to download the file anyway, SmartScreen? will not recognize the validity of your certificate, and delivers the message that your application is unrecognized on install. The issue appears to be that not all the certificates in the Certification Path are using the SHA-256 hashing algorithm, but deprecated SHA-1 hashing algorithm. This is shown below.

You may want to contact the CA that provided your certificate to correct the issues with the certificate. Your CA should be aware that the SHA-1 hashing algorithm for signing certificates was deprecated at the start of this year. Certificates that use SHA-1 and are timestamped after January 1, 2016 are not recognized by SmartScreen?. This applies to all levels of the certificate chain. Once all certificates are in compliance, they can gain reputation in our system.

While the certificates gain reputation, some warns may be seen. However, using the same details for the new certificates as the previous established certificates (name, email address, etc.) can help the process.

Another option is to obtain an EV Authenticode certificate. An application signed with an EV Authenticode certificate can immediately establish reputation with SmartScreen? reputation services even if no prior reputation exists for that file or Authenticode certificate. EV code signing certificates are now being issued by Symantec, DigiCert?, and GlobalSign?. Here are some links with information about the certificate signing change. The first link offers some helpful information under the heading “Code Signing Guidance”.

We hope that this information has been helpful.

Change History (0)

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!