Last Update: March 24, 2026 I’ve previously explained how Chromium-based browsers assign a “danger level” based on the type of the file, as determined from its extension. Depending on the Danger Level, the browser may warn the user before a file download begins in order to confirm that the user really wanted a potentially-dangerous file.Continue reading “SmartScreen Application Reputation, with Pictures”
Tag Archives: Authenticode
Cheating Authenticode, Redux
Back in 2014, I explained two techniques that have been used by developers to store information in Authenticode-signed executables without breaking the signature, including information about the EnableCertPaddingCheck registry flag that can be set to break the technique1. Recently, Kevin Jones pointed out that Chrome’s signed installer differs on each download, as you can seeContinue reading “Cheating Authenticode, Redux”
SHA256 and Authenticode REDUX^2
Note: Microsoft has not confirmed this change yet; analysis below comes from looking at behavior of 14 signed installers. In December of last year, I wrote about all of the different places hashes are used in code-signing. Then, in January I blogged that Windows 10 had stopped accepting SHA-1 certificates and certificate chains for Authenticode-signedContinue reading “SHA256 and Authenticode REDUX^2”
Authenticode and SHA1–Redux
I tried to install Telerik DevCraft Ultimate, but Windows 8.1 and Windows 10 blocked it: “Unknown Publisher”? Hrm. That’s weird. I know Telerik signs their code and I was pretty sure their code-signing certificate is SHA256, so the new restrictions on SHA1 in code-signing shouldn’t be a problem, right? Sure enough, the code is signed with a SHA256Continue reading “Authenticode and SHA1–Redux”
SHA-1 Certificates Blocked By Authenticode
Twitter started to light up a bit tonight with folks who are having problems with signatures; both third-party ISVs: … and even Microsoft’s own SysInternals utilities show1 an error: Developers are surprised to see their workflow suddenly broken and wonder why. The problem is outlined here – the tl;dr is that you must use a SHA256-signedContinue reading “SHA-1 Certificates Blocked By Authenticode”
text/plain 