I tried to install Telerik DevCraft Ultimate, but Windows 8.1 and Windows 10 blocked it:
“Unknown Publisher”? Hrm.
That’s weird. I know Telerik signs their code and I was pretty sure their code-signing certificate is SHA256, so the new restrictions on SHA1 in code-signing shouldn’t be a problem, right?
Sure enough, the code is signed with a SHA256 certificate:
… and we know that SHA1 file digests are still allowed (heck, MD5 digests are still allowed!). So what’s going wrong?
Check out the certificate chain:
The intermediate certificate is SHA1.
Other code, signed with the same chain, doesn’t fail, but that’s because that other code was time-stamped before the January 1st deprecation of SHA-1.
To avoid “Unknown Publisher” warnings for your software, you need to ensure that any intermediate certificates in your signing chain are also signed using SHA256. (Only the root certificate at the top of the chain may use SHA1).