none
EMET 4.1 Update 1: 'The digital signature of the object did not verify.' on Vista/XP RRS feed

  • Question

  • I downloaded the EMET 4.1 Update file from https://support.microsoft.com/kb/2964759/en-us on a computer running Windows Vista with IE9. After the download I got the message "EMET Setup.msi was reported unsafe." from Internet Explorer. It turned out that on Windows Vista the signing time of the certificate is not available and the certificate isn't validated correctly. I've heard that this also happens on Windows XP. After the installation the same problems occur with the installed files like EMET_agent.exe, HelperLib.DLL and others. On Windows 7 or 8 this problem does not occur.

    Why can Windows Vista not verify the digital signature and how can we fix this problem?


    W. Spu

    Monday, May 12, 2014 1:21 PM

Answers

  • On May 29, Microsoft re-publisched EMET 4.1 update 1 with a new time-stamping service certificate which uses SHA1 again for the hashing algorithm. This installer can be downloaded without a warning and the certificate can be validated again.

    Unfortunately, Microsoft will not create a hotfix to solve the real cause of the problems with the time-stamping service certificates based on the SHA256 hashing algorithm.


    W. Spu

    • Marked as answer by W. Spu Saturday, May 31, 2014 3:22 PM
    Saturday, May 31, 2014 3:22 PM

All replies

  • Below you can find 4 screenshots with the errors on Windows Vista.


    W. Spu

    Monday, May 12, 2014 1:23 PM

  • W. Spu

    Monday, May 12, 2014 1:24 PM
  • Below you can find the same 4 screenshots without the errors on Windows 7


    W. Spu

    Monday, May 12, 2014 1:25 PM

  • W. Spu

    Monday, May 12, 2014 1:26 PM
  • Like EMET 4.1 the certificate in EMET 5.0 Technical preview 1 could be validated correctly. With EMET 5.0 TP2 Microsoft used the same sort of certificate as they used for EMET 4.1 Update 1. The counter signature in both files are not visible probably because the usage of SHA256. The details of this behavior is still not clear.

    Recently EMET 5.0 Technical preview 3 was released and the certificate is of the same sort of EMET 4.1 and/or EMET TP1.


    W. Spu


    • Edited by W. Spu Sunday, May 25, 2014 8:47 PM
    Sunday, May 25, 2014 8:26 PM
  • On May 29, Microsoft re-publisched EMET 4.1 update 1 with a new time-stamping service certificate which uses SHA1 again for the hashing algorithm. This installer can be downloaded without a warning and the certificate can be validated again.

    Unfortunately, Microsoft will not create a hotfix to solve the real cause of the problems with the time-stamping service certificates based on the SHA256 hashing algorithm.


    W. Spu

    • Marked as answer by W. Spu Saturday, May 31, 2014 3:22 PM
    Saturday, May 31, 2014 3:22 PM