We have signed our product installation using SignTool.exe and GoDaddy certificate, and our signature appears valid in windows and using "verify" option of SignTool. However, when the file is downloaded in Internet Explorer 9, it reports that "The signature of is corrupt or invalid".

We obviously don't want our users to have problems with installation of our setup, so I need help in fixing it. Strange that there is basically no help on this issue online.

I've discovered through trial and error that this is caused by a Windows update that breaks IE:

Cumulative Security Update for Internet Explorer (2870699) - published Sept. 10, 2013

http://support.microsoft.com/kb/2870699

http://technet.microsoft.com/en-us/security/bulletin/ms13-069

I installed all of the latest updates and was able to reproduce the problem. I then uninstalled this single update and it fixed the problem. I then reinstalled the update and it was broken again.

This is bad!

Microsoft released a security update on January 12th 2016. This update has changed the way Windows enforces authenticode code signing and timestamping.

If your code signing certificate has a SHA1 signature, anything signed with such a certificate after the end of 2015 was being flagged as an invalid signature. So you will need to have your certificate re-issued to meet the new requirements.

Take a look at this article: Renew your Windows code signing certificates by December 31, 2015.

The bug is known by Microsoft:

http://connect.microsoft.com/IE/feedback/details/800433/kb2870699-breaks-ie-msi-signature-validation