I got the message, "The signature of foobar2000_v1.3.10 is corrupt or invalid" when downloading. I haven't seen this with previous downloads.
No problems here. You could try clearing your browser cache? Or visit the download page again. Don't refresh because the site has some sort of file id anti-leeching thing that expires.
I found the following from this page (http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx):
"Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself."
Peter's certificate is an SHA-1
The person linking to the above was having the same problem with IE11 (which I use), but said that he could use both Chrome and Edge(!) to download without trouble. I confirmed that using Chrome works, but Edge gives me the same message, as I expected.
Thanks for the report.
I've reuploaded it with a SHA-256 signature on the installer. Individual binaries will be also signed starting with the next update.
I still get the "invalid or corrupt" signature message. I checked the signature properties; the digest algorithm is sha256, timestamp is "Not available." Windows says it's "OK."
I tried clearing the IE11 browser cache of temporary internet/website files and downloaded files, and I deleted all cookies from the date 1.3.10 was released to the present. (Might there be an older foobar2000.org cookie I need to excise?) I also tried making foobar2000.org a trusted site (using https:// instead of http://) and rebooting. None of this worked.
I didn't mention before that I'm using Windows 10 Home. Either it's causing a problem or I'm still missing something. Odds are it's the latter.
hello all. been a long time foobar user but only just registered here to say this this build of foobar is causing Windows SmartScreen (in Win10 Pro) to block the installer. this is the first and only instance of Windows SmartScreen ever flagging a foobar installer, and in this case it seems to believe the 1.3.10 installer is from an unknown publisher. and this problem is occurring after downloading the file with Firefox 45.0.1. I have no idea why this is happening but there appears to still be something up it.
edit: also this issue is occurring with both the SHA-256 signed installer and the previous one from last week.
Apparently even MS Edge on my workstation still complains. Not sure what the problem is, I suggest complaining at Microsoft - which is what I'll do if the issue persists.
The installer can be unblocked by opening its Properties dialog and ticking the Unblock box near the bottom of the General tab.
The installer can be unblocked by opening its Properties dialog and ticking the Unblock box near the bottom of the General tab.
Hmm, I don't see this option. I'm running Win10 Pro Insider Build 14291. Anyway, I'm going to send feedback to Microsoft on this issue.
@Peter Might the problem with the signature be the lack of a timestamp? Also, Edge is no more successful for me than IE11. I can't imagine how that other guy got it to work.
Edit: Microsoft TechNet KB3123479 ( https://technet.microsoft.com/library/security/3123479 ) mentions SHA-2 hashes and nothing about sha256. Under 'Suggested Actions' is:
Update from SHA-1 to SHA-2
Certificate authorities should no longer sign newly generated certificates using the SHA-1 hashing algorithm. Customers should ensure that their certificate authorities are using the SHA-2 hashing algorithm to obtain SHA-2 certificates from their certificate authorities. To sign code with SHA-2 certificates, see the guidance on this topic at Windows Enforcement of Authenticode Code Signing and Timestamping."
The other link may have been misleading, or perhaps incomplete.
this is the first and only instance of Windows SmartScreen ever flagging a foobar installer, and in this case it seems to believe the 1.3.10 installer is from an unknown publisher.
edit: also this issue is occurring with both the SHA-256 signed installer and the previous one from last week.
I turned off Smartscreen, rebooted, then downloaded the installer and found it still blocked, so I doubt Smartscreen is at fault. With the issue on the Home, Pro, and Insider Build versions, it appears Windows 10 is having a general problem with digital signatures. As I mentioned before, it deems the signature for this file "OK" (on my PC, at least), but still reports it as invalid and blocks the file.
The installer can be unblocked by opening its Properties dialog and ticking the Unblock box near the bottom of the General tab.
Hmm, I don't see this option. I'm running Win10 Pro Insider Build 14291.
See the image below. Are you missing the security message at the bottom?
It gets even weirder, now Edge on my laptop rejects it ("The signature of this file is corrupt or invalid") while Edge on my desktop accepts it....
It seems SmartScreen is not to be taken very seriously...
The "SmartScreen" name is half correct.
The good news is that downloading the installer in spite of the message and unblocking it allows it to run without incident.
My official response. (http://www.foobar2000.org/fuckmicrosoft)
I presume that SmartScreen will shut the hell up after enough downloads of an unsigned binary.
Even the tool I used to remove signature from the installer did not trip SmartScreen, even though it had no signature and certainly gets downloaded less.
For what it's worth, I don't think it's enough just to sign with SHA-256 - you need an Extended Validatation certificate, which requires, among other things, a hardware token for the private key:
https://www.symantec.com/code-signing/extended-validation/
Yes, I've figured we need a new certificate.
I got my current cert from StartSSL. Sadly StartSSL support has no clue what this is about. I certainly won't be using their services again - a certificate that I paid for turned useless before its expiration date and they haven't done anything to help me with it.
Lots of legitimate major Windows projects don't sign their installers at all and Microsoft tools don't complain. I'd love to do better, but I have plenty of more urgent things to work on.
This whole thing has taken too much of my time already, currently foobar2000 for Windows is only one of many projects that I'm responsible for. I don't mind paying for another certificate and sending relevant documents over - it's spending time on figuring out idiotic requirements where different Microsoft tools disagree with one another that I no longer wish to spend time on (and what if they change their policies again for arbitrary reasons so I have to start over?).
I had a closer look at the certificate of the second foobar2000.exe uploaded.
Although the certificate itself is signed using SHA256, not all the certificates in the chain are:
http://imgur.com/a/7GoPN
Yes, so it is essentially StartSSL fault, thanks for the effort.
If Microsoft tools consistently reported failure, it would be at least easier to explain to them; instead they just blame Microsoft SmartScreen.
It's even funnier that with my certificate, I cannot sign anything outside my Windows 7 VM used for foobar2000 compiling and packaging, signtool running natively on my Windows 10 workstation refuses to sign, but it won't say in detail why the cert chain is wrong.
Yes, so it is essentially StartSSL fault, thanks for the effort.
If Microsoft tools consistently reported failure, it would be at least easier to explain to them; instead they just blame Microsoft SmartScreen.
It's even funnier that with my certificate, I cannot sign anything outside my Windows 7 VM used for foobar2000 compiling and packaging, signtool running natively on my Windows 10 workstation refuses to sign, but it won't say in detail why the cert chain is wrong.
StartSSL seems to have really dropped the ball here. They've known about the deprecation of SHA-1 for years, it's baffling that they'd sell SHA-256 certificates with SHA-1 intermediates.
I do hope you can get this fixed, though; VirusTotal has no ability to detect tampering of the executable, so is not really a good substitute for a signature.
Peculiarly, the copy of foobar2000_v1.3.9.exe I have shows up as having a SHA-256 intermediate certificate, and Edge is happy with that one. From the link posted earlier:
For the policies being enforced for code signing and timestamping certificates at what level of the PKI hierarchy is the policy being enforced at?
The policies will be enforced for all the certificates under the root certificate (i.e. the leaf and intermediate certificates)
It does seem odd that
signtool verify /pa /v does not agree with Edge/IE.
If you can't or don't plan to replace the signature then please at least share somewhere in the download page md5/sha1/sha2 checksums of every new non-signed installer. Alternatively, and technically even more recommended, would be signing them with a PGP signature.
It will give us some assurance the file we downloaded is in fact the one you intended to make public.
Among other reasons this is important because of websites rehosting your installers. As others have pointed out, there's no guarantee they have not been tampered with if they are not signed.
I can invite Peter to Keybase.io, where they can publish their certified keys, and also certify other things that are supported by Keybase, such as domains.
For Keybase, I do recommend using an existing PGP/GPG key as the starter key, though, rather than letting the site generate it. That way, you don't have to figure out how to get that key into your local copy of PGP/GPG later.
downloaded w/ firefox & installed on win 10 pro x64 @29-3-2016, never see any problem, wonder why use edge or ie anyway.
It's not just Microsoft Edge that's at fault - downloads from other browsers are also flagged as coming from the internet and trigger this message.
Anyway, with the signature removed, we no longer trip SmartScreen as far as I can tell.
The installer downloads without complaint using IE11. Running it triggers a dialog asking if I want to let an app from "an unknown publisher" make changes to my machine, and that happens whether or not I tick the Unblock box in Properties beforehand. Peter is hardly an "unknown" as far as I'm concerned, so I'll happily click Yes to get on with it.
Anyway, with the signature removed, we no longer trip SmartScreen as far as I can tell.
I've had the blue SmartScreen screen pop up before when running unknown, unsigned downloaded programs (I'm pretty sure they were downloaded using Firefox as well). Depending on the reason for that, it may well be triggered for foobar2000 for a short period after a new release.
A couple comments;
Security vendors do not blindly trust any certificate, or certificate issuers, the reputation of the certificate owner and certificate issuers are considered, e.g. use of certs in signing malware, PUA, adware, etc., be this via direct use, other certs issued by the issuing authority, or stolen certs.
I could not verify the cert as the current download is not signed, but from the screenshot it looks like it was not cross signed with a timestamp authority, this means that the binary would only be valid while the signing cert is valid, typically a year, by cross signing with a timestamp cert, the binary will be valid as long as the timestamp and cert issuer trees are valid, even if the signing cert is no longer valid. It also means it is not properly signed per standard signing guidelines, something security vendors will take into account.
By not signing the binary you are bound to run into trouble every time it is updated.
By signing the installer with a class 3 cert obtained from the trustworthy cert authority, and yes sometimes this means more $$$, and timestamp signing it, and keeping the signing cert safe, you are in much better position.
Seeing people swearing at Msft is fun, but there is a reason people, and security software, distrust unsigned or improperly signed binaries.
If you are not going to try and sign again, please publish hashes so the binary's integrity can be verified.
My 2c's :)
I could not verify the cert as the current download is not signed
You can download the signed version from http://filehippo.com/ if you want to check the cert.
If you are not going to try and sign again, please publish hashes so the binary's integrity can be verified.
+1
As i said before as well, MD5/SHA hashes or PGP signature if you're really not going to bother signing new binaries from now on is a must.
I have advised Peter of Keybase and PGP, and should be able to walk him through signing his downloads, maybe.
Maybe you can get in touch with the people from Gimp, since they recently had similar issues and it appears that they fixed them:
http://www.gimp.org/news/2016/03/17/corrupt-windows-installer-warnings/
http://www.gimp.org/news/2016/03/27/updated-windows-installer-signature/
Hi! Thank you for developing such a awesome software!MS always make some mistakes,and it's sensible to throw sign!
Surely,we trust you and we like the software.
But we don't know if it has been modified when we download the installer.
Use some tech(such as DCM horse system use by China government), hackers can trade the installer with a fake one.
So I advice you to leave a sha256-checksum on the website alone with the installer.
My official response. (http://www.foobar2000.org/fuckmicrosoft)
I presume that SmartScreen will shut the hell up after enough downloads of an unsigned binary.
Even the tool I used to remove signature from the installer did not trip SmartScreen, even though it had no signature and certainly gets downloaded less.
Hi Peter, would you mind providing some SHA-2 checksum of the installation package on the download page? Because in some area it may be attacked by the government or the ISP while downloading.
Wouldn't these same parties be able to alter the displayed checksum on the page?
There's also the idea of GPG signing the binaries and including the signature files for download. But who do you trust to verify that Peter produced the signatures you downloaded? Do you get them from the GPG repository? Keybase? And what's to stop your state actors from altering what you get from those signature authorities?
Agree with prt727 - looking at the 1.3.10 installer EXE it's missing two things:
- Intermediate (and root) certs are using SHA1 signature - needs SHA256 for the whole chain (or at least leaf + intermediate, minimum).
- Needs the signature validated by a timestamp server.
Ditch StartCom. The cheapest "real" CA around that provides Authenticode certs is Comodo, and the cheapest provider I've found for their certs is usually GoGetSSL - roughly USD 70 per year for a 3 year cert:
https://www.gogetssl.com/code-signing-certificates/comodo-codesigning-ssl/ (https://www.gogetssl.com/code-signing-certificates/comodo-codesigning-ssl/)
https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server (https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server)
Regards,
Jacob
I'll be losing the ability to sign things starting in February. Unless one or more of you community users wants to contribute the $210 or so to get that 3 year certificate, since my income doesn't leave me room for expenses that large at once, and I already cancelled my credit cards due to lack of ability to manage my debt responsibly.
If you want to round up donations I'm happy to throw in USD 20 to start with. I know it's not much - but I've used foobar2000 on and off for years and think it would be good if you can continue to sign it so we users can trust the source. Hopefully others will feel similarly.
Let know via PM of your details (PayPal preferably) and I'll make a start.
Regards,
Jacob
Peter had PayPal set up for donations years ago but there were some issues. They froze his account and took the money hostage and apparently no one can be contacted to sort things out. So I don't think he'll be very willing to try PayPal again.
Peter had PayPal set up for donations years ago but there were some issues. They froze his account and took the money hostage and apparently no one can be contacted to sort things out. So I don't think he'll be very willing to try PayPal again.
Yea, restoring PayPal account after it has become frozen is nearly impossible. Their position on this is similar to Google, i.e. they won't give you any good explanation why your account was frozen, they won't give your money back, and all your e-mails will be answered by auto-reply bot :\
Regretfully, I don't know any good alternatives to donate (bitcoin? direct b2b transfer? compensate with pizza delivery?).