search cancel

Intelligent Updater download error The signature of this file is corrupt or invalid

book

Article ID: 162897

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Attempting to download an Intelligent Updater package causes a warning notification by either Internet Explorer or Microsoft Edge that the file is not trusted. The warning still allows the file to be downloaded.

Internet Explorer:
The signature of <file>.exe is corrupt or invalid.

Microsoft Edge:
The signature of this file is corrupt or invalid

 

Cause

A Microsoft security advisory deprecated the use of SHA-1 hashing for certificates on January 12, 2016. Any download of a signed file timestamped January 1, 2016 or later, without a SHA-2 (SHA-2 256) or better hash will be affected.

From Microsoft KB 3123479:
“For customers running either Internet Explorer or Microsoft Edge who download a SHA-1 signed file from the Internet that is timestamped and released on January 1, 2016, or later, SmartScreen will mark the file as not trusted. This status does not prevent customers from downloading the file or running these browsers on their computers. But customers are warned of the not trusted status of the file.”

Resolution

Symantec has added dual signing using SHA-1 and SHA-2 256 hashes to resolve this issue. This allows trust to be maintained on a legacy OS, such as Windows Server 2003 or Windows XP, while supporting the enhanced security offered by SHA-2.

 

Reference:
https://technet.microsoft.com/library/security/3123479
https://support.microsoft.com/en-us/kb/3123479