KB2870699 breaks IE MSI signature validation - by JHerron

Status : 

  Won't Fix<br /><br />
		Due to several factors the product team decided to focus its efforts on other items.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.

ID 800433 Comments
Status Closed Workarounds
Type Bug Repros 38
Opened 9/12/2013 6:11:21 PM
Duplicates 801646 Access Restriction Public


After installing the update KB2870699 IE users get the message "The signature of this program is corrupt or invalid" when downloading MSI installation files. We have verified that removing the update resolves the problem and installing it causes the problem to recur.

The issue has been verified on Windows 2008 R2 SP1 and Windows 7 (SP unknown). It has also been verified that it occurs in IE9 and IE10.

The files and signatures being used for testing have been verified and are not invalid. Numerous MSI files built over the past twelve months have been tested.
Sign in to post a comment.
Posted by JHerron on 3/31/2014 at 2:57 PM
Really Microsoft, you have decided that you are going to leave your customers flapping in the wind? Marking this as "Closed, won't fix" is of absolutely no use to everyone that it affects. I hope you are not expecting to get any positive recommendations for your development tools from the user community. In the future I will certainly look for solutions from companies that do not just decide that they are not interested in fixing things that they have broken even though it affects most of their users. Very bad move !!!
Posted by Microsoft on 3/31/2014 at 12:47 PM
Thank you again for your feedback.

We’ve investigated this issue and it is fixed in the latest version of Internet Explorer (IE11), which is part of Windows 8.1 and available to download for Windows 7. IE11 is the best browsing experience on any device - fast, fluid, secure, and perfect for touch. We hope you’ll give it a try, and let us know what you think.

Your feedback is helping us see the needs of our users so we can improve the quality of Internet Explorer. We continue to welcome more feedback and look forward to hearing from you again soon.

Best regards,
The Internet Explorer Team
Posted by Doug Delaney on 1/17/2014 at 8:44 AM
As it turns out, I think this was a false alarm. It appeared to be the same issue, but in much more complete testing, I found that the other links posted here worked fine, and some of the clients that reported a problem, had not yet received the KB 2898785 patch.
Posted by Doug Delaney on 1/14/2014 at 9:56 AM
Our organization just recently installed the December patches, which included MS13-097 (KB 2898785) which made this problem recur. So far, testing on Windows 8 w/IE 10. I’ve uninstalled KB 2898785, KB 2888505 and KB 2879017 in that order with a reboot between each. The problem no longer exists, but existed until the 3rd one was uninstalled. The original KB 2870699 did not appear in the installed updates list.

On Windows 7 w/IE 8, the problem also occurs, and all 4 updates appear in the installed updates list. Just uninstalled KB 2898785, reboot pending, to see what happens.

In Windows 7, w/IE8 without KB 2888505 and KB 2898785 installed, the problem does not occur. Only KB 2870699 and KB 2879017 were installed. In the process of installing KB 2888505, then KB 2898785 to validate what happens. All machines so far are 64-bit.
Posted by Xenacode on 12/17/2013 at 8:28 AM
Still not fixed.
Posted by Xenacode on 11/22/2013 at 1:07 AM
It looks like there may be a fix out for this. The KB2870699 download has been taken off the download site. The Microsoft support site now says this:

"The update that this article describes has been replaced by a newer update. We recommend that you install the most current cumulative security update for Internet Explorer."

I can't find the specific update that comment refers to but it does suggest the problem may be resolved by installing the latest updates.

Would Microsoft like to confirm this or comment?

Xenacode Ltd
Posted by SylvainPiron on 9/20/2013 at 9:04 AM
I'm having this issue too!
When a user downloads my EXE program they get the message "The signature of Client Service Setup.exe is corrupt of invalid".
I cannot tell to my customers to turn off security measures.
I'm using a GoDaddy code signing certificate.

Hope you can fix it fast, it is not a small issues for all developpers using GoDaddy certificate!
Posted by MVanderlofske on 9/18/2013 at 12:33 PM
We too are having this issue in our signed installer. When a user downloads our EXE bootstrapper they get the message "The signature of Client Service Setup.exe is corrupt of invalid". As with others we cannot tell our customers to turn off security measures.
As with the first commenter we are using a GoDaddy code signing certificate if that makes any difference.
Posted by JeremiahAtNETNaz on 9/17/2013 at 3:18 PM
We here at PW are also experiencing this issue. A validly signed file for testing is: http://www.pragmaticworks.com/downloads/BETAPragmaticWorkbench.exe. I have verified this on over 10 machines and it is affecting most of our organization's code signed downloads. The file above was created today but even our existing files that are code signed are affected. We're using a GoDaddy code signing certificate which you can investigate by downloading the attached file.

This issue is an EXTREME blocking issue as our customers can no longer download our products in IE without getting a big red "error" notification which they then have to jump through hoops to execute. The proposed workarounds are not acceptable for our users.
Posted by craigwal on 9/17/2013 at 2:23 PM
Another properly signed msi affected by this issue can be found here as well: http://www.via3.com/Accounts/Install.aspx. Our software install is failing for many clients who ran Windows Update and installed the KB2870699 update that was released on 9/10/13.

I added a Workaround that I'm currently informing our clients, but this cannot be a long term resolution.

Posted by JHerron on 9/13/2013 at 9:40 PM
I have a critical support case open that is supposed to be a 7/24 continuous work-until-it-is-fixed case (REG:113091310782440). So far the only response I have received is an email asking me to tell my customers to turn on "Allow software to run or install even if the signature is invalid" in IE.

This of course is not a solution, and it is something that I would never tell a customer, employee, or any computer user.

I have been waiting for six hours with no additional reply.
Posted by ricthomas on 9/13/2013 at 1:55 PM
To eliminate the problem on a Win 8 system, both update KB2870699 and KB2880289 had to be uninstalled. This system did have the Adobe Flash Player, and the EXE being downloaded did include MSI's.
Posted by Microsoft on 9/13/2013 at 1:23 PM
Thank you for your feedback. We will be investigating this issue further.

Best regards,

The Internet Explorer Team
Posted by KenMcGinnis on 9/13/2013 at 12:23 PM
Yes, this can be reproduced. Any correctly digitally signed .exe file will give IE the error message. Hope Microsoft can fix this quickly and give us a new update so our users can download in confidence once again.