This Microsoft tool adds an INVALID Microsoft digital signature when you build an MSI.
Anyone know of a simple way to stop the tool from adding the digital signature? Or an easy way to remove digital signature after the build?
VS2015 Installer Projects link https://visualstudiogallery.msdn.microsoft.com/f1cc3f3e-c300-40a7-8797-c509fb8933b9
The MSI file works fine even with the bad signature. BUT, when someone tries to download the MSI with the Edge browser, it blocks the download and shows this download error message. "The signature for this file is corrupt or invalid" . With a big scary RED Error shield icon.
If you want to scare away potential users from your product or tool, this is the perfect way to do it.
Rant: Microsoft took a big bow when it made this tool available again after dropping it in 2012. Telling developers "See we do listen to you and we brought back this popular tool." Well, wouldn't you think Microsoft could assign a low level developer to maintain it and fix simple things like this. Seems to be just another toy with a broken wheel that MS tossed into the sandbox and left it there to fall apart. C'mon Microsoft, spend 10 minutes and fix this.
To fix this you can also try to dual sign the package, instead of completing removing the digital signature. This way the warning message about the invalid signature will disappear on download and also the correct info will appear in the UAC prompts on install.
Dual signing of course requires a SHA2 certificate.
SHA 2 signatures are not recognized by OSes older than Windows 7, so if you target those too and want your signature to be visible there you need to perform dual signing.
Microsoft explaining the steps for dual signing, with more details.
The problem appears to be that older SHA1 certificates are no longer valid after the end of 2015 and security changes that enforce it, as in this thread and the Jan 12th security update comment:
Internet Explorer shows valid certificate as "corrupt or invalid signature"
I haven't personally tried this idea here, but it looks fairly easy code to test on an MSI file to delete the certificate:
http://www.fluxbytes.com/csharp/remove-digital-signature-from-a-file-using-c/