Skip to main content

Topic: foobar 1.3.10 Invalid Signature (Read 7846 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.
  • Jailhouse
  • [*][*][*]
foobar 1.3.10 Invalid Signature
I got the message, "The signature of foobar2000_v1.3.10 is corrupt or invalid" when downloading. I haven't seen this with previous downloads.

  • marc2003
  • [*][*][*][*][*]
  • Developer
Re: foobar 1.3.10 Invalid Signature
Reply #1
No problems here. You could try clearing your browser cache? Or visit the download page again. Don't refresh because the site has some sort of file id anti-leeching thing that expires.

  • Jailhouse
  • [*][*][*]
Re: foobar 1.3.10 Invalid Signature
Reply #2
I found the following from this page:

"Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself."

Peter's certificate is an SHA-1

The person linking to the above was having the same problem with IE11 (which I use), but said that he could use both Chrome and Edge(!) to download without trouble. I confirmed that using Chrome works, but Edge gives me the same message, as I expected.

  • Peter
  • [*][*][*][*][*]
  • Administrator
Re: foobar 1.3.10 Invalid Signature
Reply #3
Thanks for the report.

I've reuploaded it with a SHA-256 signature on the installer. Individual binaries will be also signed starting with the next update.

  • Jailhouse
  • [*][*][*]
Re: foobar 1.3.10 Invalid Signature
Reply #4
I still get the "invalid or corrupt" signature message. I checked the signature properties; the digest algorithm is sha256,  timestamp is "Not available." Windows says it's "OK."

I tried clearing the IE11 browser cache of temporary internet/website files and downloaded files, and I deleted all cookies from the date 1.3.10 was released to the present. (Might there be an older foobar2000.org cookie I need to excise?) I also tried making foobar2000.org a trusted site (using https:// instead of http://) and rebooting. None of this worked.

I didn't mention before that I'm using Windows 10 Home. Either it's causing a problem or I'm still missing something. Odds are it's the latter.

Re: foobar 1.3.10 Invalid Signature
Reply #5
hello all.  been a long time foobar user but only just registered here to say this this build of foobar is causing Windows SmartScreen (in Win10 Pro) to block the installer.   this is the first and only instance of Windows SmartScreen ever flagging a foobar installer, and in this case it seems to believe the 1.3.10 installer is from an unknown publisher.  and this problem is occurring after downloading the file with Firefox 45.0.1.  I have no idea why this is happening but there appears to still be something up it.

edit: also this issue is occurring with both the SHA-256 signed installer and the previous one from last week.
  • Last Edit: 28 March, 2016, 03:09:56 AM by anthropocene78

  • Peter
  • [*][*][*][*][*]
  • Administrator
Re: foobar 1.3.10 Invalid Signature
Reply #6
Apparently even MS Edge on my workstation still complains. Not sure what the problem is, I suggest complaining at Microsoft - which is what I'll do if the issue persists.

  • Jailhouse
  • [*][*][*]
Re: foobar 1.3.10 Invalid Signature
Reply #7
The installer can be unblocked by opening its Properties dialog and ticking the Unblock box near the bottom of the General tab.

  • DustMagnet
  • [*][*][*][*]
Re: foobar 1.3.10 Invalid Signature
Reply #8
The installer can be unblocked by opening its Properties dialog and ticking the Unblock box near the bottom of the General tab.

Hmm, I don't see this option. I'm running Win10 Pro Insider Build 14291. Anyway, I'm going to send feedback to Microsoft on this issue.
That's so plausible, I can't believe it.

  • Jailhouse
  • [*][*][*]
Re: foobar 1.3.10 Invalid Signature
Reply #9
@Peter
Might the problem with the signature be the lack of a timestamp? Also, Edge is no more successful for me than IE11. I can't imagine how that other guy got it to work.

Edit: Microsoft TechNet KB3123479 ( https://technet.microsoft.com/library/security/3123479 ) mentions SHA-2 hashes and nothing about sha256. Under 'Suggested Actions' is:

Quote
Update from SHA-1 to SHA-2
Certificate authorities should no longer sign newly generated certificates using the SHA-1 hashing algorithm. Customers should ensure that their certificate authorities are using the SHA-2 hashing algorithm to obtain SHA-2 certificates from their certificate authorities. To sign code with SHA-2 certificates, see the guidance on this topic at Windows Enforcement of Authenticode Code Signing and Timestamping."

The other link may have been misleading, or perhaps incomplete.


this is the first and only instance of Windows SmartScreen ever flagging a foobar installer, and in this case it seems to believe the 1.3.10 installer is from an unknown publisher.
edit: also this issue is occurring with both the SHA-256 signed installer and the previous one from last week.
I turned off Smartscreen, rebooted, then downloaded the installer and found it still blocked, so I doubt Smartscreen is at fault. With the issue on the Home, Pro, and Insider Build versions, it appears Windows 10 is having a general problem with digital signatures. As I mentioned before, it deems the signature for this file "OK" (on my PC, at least), but still reports it as invalid and blocks the file.

The installer can be unblocked by opening its Properties dialog and ticking the Unblock box near the bottom of the General tab.
Hmm, I don't see this option. I'm running Win10 Pro Insider Build 14291.
See the image below. Are you missing the security message at the bottom?
  • Last Edit: 28 March, 2016, 03:33:01 PM by Jailhouse

  • Peter
  • [*][*][*][*][*]
  • Administrator
Re: foobar 1.3.10 Invalid Signature
Reply #10
It gets even weirder, now Edge on my laptop rejects it ("The signature of this file is corrupt or invalid") while Edge on my desktop accepts it....

It seems SmartScreen is not to be taken very seriously...

  • Jailhouse
  • [*][*][*]
Re: foobar 1.3.10 Invalid Signature
Reply #11
The "SmartScreen" name is half correct.

The good news is that downloading the installer in spite of the message and unblocking it allows it to run without incident.

  • Peter
  • [*][*][*][*][*]
  • Administrator
Re: foobar 1.3.10 Invalid Signature
Reply #12
My official response.

I presume that SmartScreen will shut the hell up after enough downloads of an unsigned binary.

Even the tool I used to remove signature from the installer did not trip SmartScreen, even though it had no signature and certainly gets downloaded less.
  • Last Edit: 03 April, 2016, 11:14:22 PM by Peter

Re: foobar 1.3.10 Invalid Signature
Reply #13
For what it's worth, I don't think it's enough just to sign with SHA-256 - you need an Extended Validatation certificate, which requires, among other things, a hardware token for the private key:

https://www.symantec.com/code-signing/extended-validation/

  • Peter
  • [*][*][*][*][*]
  • Administrator
Re: foobar 1.3.10 Invalid Signature
Reply #14
Yes, I've figured we need a new certificate.

I got my current cert from StartSSL. Sadly StartSSL support has no clue what this is about. I certainly won't be using their services again - a certificate that I paid for turned useless before its expiration date and they haven't done anything to help me with it.

Lots of legitimate major Windows projects don't sign their installers at all and Microsoft tools don't complain. I'd love to do better, but I have plenty of more urgent things to work on.

This whole thing has taken too much of my time already, currently foobar2000 for Windows is only one of many projects that I'm responsible for. I don't mind paying for another certificate and sending relevant documents over - it's spending time on figuring out idiotic requirements where different Microsoft tools disagree with one another that I no longer wish to spend time on (and what if they change their policies again for arbitrary reasons so I have to start over?).
  • Last Edit: 04 April, 2016, 02:33:43 AM by Peter

  • musicmusic
  • [*][*][*][*][*]
  • Developer
Re: foobar 1.3.10 Invalid Signature
Reply #15
I had a closer look at the certificate of the second foobar2000.exe uploaded.

Although the certificate itself is signed using SHA256, not all the certificates in the chain are:

http://imgur.com/a/7GoPN
  • Last Edit: 04 April, 2016, 05:41:47 PM by musicmusic
.

  • Peter
  • [*][*][*][*][*]
  • Administrator
Re: foobar 1.3.10 Invalid Signature
Reply #16
Yes, so it is essentially StartSSL fault, thanks for the effort.

If Microsoft tools consistently reported failure, it would be at least easier to explain to them; instead they just blame Microsoft SmartScreen.

It's even funnier that with my certificate, I cannot sign anything outside my Windows 7 VM used for foobar2000 compiling and packaging, signtool running natively on my Windows 10 workstation refuses to sign, but it won't say in detail why the cert chain is wrong.

  • DrPizza
  • [*]
Re: foobar 1.3.10 Invalid Signature
Reply #17
Yes, so it is essentially StartSSL fault, thanks for the effort.

If Microsoft tools consistently reported failure, it would be at least easier to explain to them; instead they just blame Microsoft SmartScreen.

It's even funnier that with my certificate, I cannot sign anything outside my Windows 7 VM used for foobar2000 compiling and packaging, signtool running natively on my Windows 10 workstation refuses to sign, but it won't say in detail why the cert chain is wrong.
StartSSL seems to have really dropped the ball here. They've known about the deprecation of SHA-1 for years, it's baffling that they'd sell SHA-256 certificates with SHA-1 intermediates.

I do hope you can get this fixed, though; VirusTotal has no ability to detect tampering of the executable, so is not really a good substitute for a signature.

  • musicmusic
  • [*][*][*][*][*]
  • Developer
Re: foobar 1.3.10 Invalid Signature
Reply #18
Peculiarly, the copy of foobar2000_v1.3.9.exe I have shows up as having a SHA-256 intermediate certificate, and Edge is happy with that one. From the link posted earlier:

Quote
For the policies being enforced for code signing and timestamping certificates at what level of the PKI hierarchy is the policy being enforced at?

The policies will be enforced for all the certificates under the root certificate (i.e. the leaf and intermediate certificates)

It does seem odd that signtool verify /pa /v does not agree with Edge/IE.
.

  • jamrial
  • [*]
Re: foobar 1.3.10 Invalid Signature
Reply #19
If you can't or don't plan to replace the signature then please at least share somewhere in the download page md5/sha1/sha2 checksums of every new non-signed installer. Alternatively, and technically even more recommended, would be signing them with a PGP signature.
It will give us some assurance the file we downloaded is in fact the one you intended to make public.

Among other reasons this is important because of websites rehosting your installers. As others have pointed out, there's no guarantee they have not been tampered with if they are not signed.

  • kode54
  • [*][*][*][*][*]
  • Administrator
Re: foobar 1.3.10 Invalid Signature
Reply #20
I can invite Peter to Keybase.io, where they can publish their certified keys, and also certify other things that are supported by Keybase, such as domains.

For Keybase, I do recommend using an existing PGP/GPG key as the starter key, though, rather than letting the site generate it. That way, you don't have to figure out how to get that key into your local copy of PGP/GPG later.

  • zqae
  • [*]
Re: foobar 1.3.10 Invalid Signature
Reply #21
downloaded w/ firefox & installed on win 10 pro x64 @29-3-2016, never see any problem, wonder why use edge or ie anyway.

  • Peter
  • [*][*][*][*][*]
  • Administrator
Re: foobar 1.3.10 Invalid Signature
Reply #22
It's not just Microsoft Edge that's at fault - downloads from other browsers are also flagged as coming from the internet and trigger this message.
Anyway, with the signature removed, we no longer trip SmartScreen as far as I can tell.

  • Jailhouse
  • [*][*][*]
Re: foobar 1.3.10 Invalid Signature
Reply #23
The installer downloads without complaint using IE11. Running it triggers a dialog asking if I want to let an app from "an unknown publisher" make changes to my machine, and that happens whether or not I tick the Unblock box in Properties beforehand. Peter is hardly an "unknown" as far as I'm concerned, so I'll happily click Yes to get on with it.

  • musicmusic
  • [*][*][*][*][*]
  • Developer
Re: foobar 1.3.10 Invalid Signature
Reply #24
Anyway, with the signature removed, we no longer trip SmartScreen as far as I can tell.
I've had the blue SmartScreen screen pop up before when running unknown, unsigned downloaded programs (I'm pretty sure they were downloaded using Firefox as well). Depending on the reason for that, it may well be triggered for foobar2000 for a short period after a new release.
  • Last Edit: 13 April, 2016, 01:38:29 AM by musicmusic
.