Is there any way to disable WinXP's built-in digital signature verification
for executable files (not just the drivers thing)? I've already tried
various options under certificates, including updating the root
certificates, etc), to no avail, and have searched quite a bit on the net
for any possible ideas. I've got a trial shareware program (VinylStudio)
that indicates "the certificate is not valid"(etc), but I know this isn't
really true. Even after updating my root certificates, it still complains
about that, and it won't run (it crashes with an error that the file is
corrupt, and should be redownloaded - I've done that several times). If you
look at it under Properties it complains about the certificate not being
valid, or "is not valid for the requested usage" (etc), which is nonsense.

Actually, I think the best solution would be to strip out this runtime
digital signature thing from the program exe file, if possible, so at least
I could try and run it. And if the program is useful, I could then
purchase the full version of it, instead of the trial. As it is now, I
can't even do that.

Bill in Co. wrote:
> Is there any way to disable WinXP's built-in digital signature verification
> for executable files (not just the drivers thing)? I've already tried
> various options under certificates, including updating the root
> certificates, etc), to no avail, and have searched quite a bit on the net
> for any possible ideas. I've got a trial shareware program (VinylStudio)
> that indicates "the certificate is not valid"(etc), but I know this isn't
> really true. Even after updating my root certificates, it still complains
> about that, and it won't run (it crashes with an error that the file is
> corrupt, and should be redownloaded - I've done that several times). If you
> look at it under Properties it complains about the certificate not being
> valid, or "is not valid for the requested usage" (etc), which is nonsense.
>
> Actually, I think the best solution would be to strip out this runtime
> digital signature thing from the program exe file, if possible, so at least
> I could try and run it. And if the program is useful, I could then
> purchase the full version of it, instead of the trial. As it is now, I
> can't even do that.
>

It is probably best to talk to Alpinesoft and get their opinion on
what to do.

*******
I tried downloading the package here. There is a button in the
middle of this page.

http://www.alpinesoft.co.uk/VinylStudio/download.aspx

The downloaded package is 3,118,168 bytes and the
MD5SUM of the whole file is

5bea795bb31858591ee10a1f8b295e11 *vsinstall.exe

By providing that info, I'm assuming download packages
are not customized for each download done.

If I unpack that download with 7zip, I can see
at least two files which are signed. The
setup.exe file, and the vinylstudio.exe file.
When I do Propertiesigital Signaturesetails, Windows indicates

"This digital signature is OK"

The Certificate used for signing says

Issued to: Alpinesoft
Issued by: UTN-USERFirst-Object
Valid from: 5/31/2008 to 6/1/2009

I'm running WinXP SP3, with no additional certificates added.

I didn't try to install the software.

Have you, by chance, disabled some item in Services, which
is critical to getting signing to work ? Check out the
description of "Cryptographic Services" in
Control Panels:Administrative Tools:Services.

Paul

Paul wrote:
> Bill in Co. wrote:
>> Is there any way to disable WinXP's built-in digital signature
>> verification
>> for executable files (not just the drivers thing)? I've already tried
>> various options under certificates, including updating the root
>> certificates, etc), to no avail, and have searched quite a bit on the net
>> for any possible ideas. I've got a trial shareware program
>> (VinylStudio)
>> that indicates "the certificate is not valid"(etc), but I know this isn't
>> really true. Even after updating my root certificates, it still
>> complains
>> about that, and it won't run (it crashes with an error that the file is
>> corrupt, and should be redownloaded - I've done that several times). If
>> you
>> look at it under Properties it complains about the certificate not being
>> valid, or "is not valid for the requested usage" (etc), which is
>> nonsense.
>>
>> Actually, I think the best solution would be to strip out this runtime
>> digital signature thing from the program exe file, if possible, so at
>> least
>> I could try and run it. And if the program is useful, I could then
>> purchase the full version of it, instead of the trial. As it is now, I
>> can't even do that.
>>
>
> It is probably best to talk to Alpinesoft and get their opinion on
> what to do.
>
> *******
> I tried downloading the package here. There is a button in the
> middle of this page.
>
> http://www.alpinesoft.co.uk/VinylStudio/download.aspx
>
> The downloaded package is 3,118,168 bytes and the
> MD5SUM of the whole file is
>
> 5bea795bb31858591ee10a1f8b295e11 *vsinstall.exe
>
> By providing that info, I'm assuming download packages
> are not customized for each download done.
>
> If I unpack that download with 7zip, I can see
> at least two files which are signed. The
> setup.exe file, and the vinylstudio.exe file.
> When I do Propertiesigital Signaturesetails, Windows indicates
>
> "This digital signature is OK"
>
> The Certificate used for signing says
>
> Issued to: Alpinesoft
> Issued by: UTN-USERFirst-Object
> Valid from: 5/31/2008 to 6/1/2009

And my problem was with that certificate, which I've just "fixed". ("Enable
all services" for this certificate was not checked, and needed to be).

> I'm running WinXP SP3, with no additional certificates added.
>
> I didn't try to install the software.
>
> Have you, by chance, disabled some item in Services, which
> is critical to getting signing to work ? Check out the
> description of "Cryptographic Services" in
> Control Panels:Administrative Tools:Services.
>
> Paul

No, I hadn't disabled some item in services, but what I *did* find is that
after running "certmgr.msc", that one of the cerficates (mentioned above)
did not have its service enabling options checked, which was kinda weird.

BTW, how does one get to run "certmgr.msc" without typing it out and running
it from the command line? I thought it would be some option under
Administrative Tools, but I must be missing seeing it.

And - thanks for your support and checking that out for me, Paul.

Bill in Co. wrote:
> Paul wrote:
>> Bill in Co. wrote:
>>> Is there any way to disable WinXP's built-in digital signature
>>> verification
>>> for executable files (not just the drivers thing)? I've already tried
>>> various options under certificates, including updating the root
>>> certificates, etc), to no avail, and have searched quite a bit on the net
>>> for any possible ideas. I've got a trial shareware program
>>> (VinylStudio)
>>> that indicates "the certificate is not valid"(etc), but I know this isn't
>>> really true. Even after updating my root certificates, it still
>>> complains
>>> about that, and it won't run (it crashes with an error that the file is
>>> corrupt, and should be redownloaded - I've done that several times). If
>>> you
>>> look at it under Properties it complains about the certificate not being
>>> valid, or "is not valid for the requested usage" (etc), which is
>>> nonsense.
>>>
>>> Actually, I think the best solution would be to strip out this runtime
>>> digital signature thing from the program exe file, if possible, so at
>>> least
>>> I could try and run it. And if the program is useful, I could then
>>> purchase the full version of it, instead of the trial. As it is now, I
>>> can't even do that.
>>>
>> It is probably best to talk to Alpinesoft and get their opinion on
>> what to do.
>>
>> *******
>> I tried downloading the package here. There is a button in the
>> middle of this page.
>>
>> http://www.alpinesoft.co.uk/VinylStudio/download.aspx
>>
>> The downloaded package is 3,118,168 bytes and the
>> MD5SUM of the whole file is
>>
>> 5bea795bb31858591ee10a1f8b295e11 *vsinstall.exe
>>
>> By providing that info, I'm assuming download packages
>> are not customized for each download done.
>>
>> If I unpack that download with 7zip, I can see
>> at least two files which are signed. The
>> setup.exe file, and the vinylstudio.exe file.
>> When I do Propertiesigital Signaturesetails, Windows indicates
>>
>> "This digital signature is OK"
>>
>> The Certificate used for signing says
>>
>> Issued to: Alpinesoft
>> Issued by: UTN-USERFirst-Object
>> Valid from: 5/31/2008 to 6/1/2009
>
> And my problem was with that certificate, which I've just "fixed". ("Enable
> all services" for this certificate was not checked, and needed to be).
>
>> I'm running WinXP SP3, with no additional certificates added.
>>
>> I didn't try to install the software.
>>
>> Have you, by chance, disabled some item in Services, which
>> is critical to getting signing to work ? Check out the
>> description of "Cryptographic Services" in
>> Control Panels:Administrative Tools:Services.
>>
>> Paul
>
> No, I hadn't disabled some item in services, but what I *did* find is that
> after running "certmgr.msc", that one of the cerficates (mentioned above)
> did not have its service enabling options checked, which was kinda weird.
>
> BTW, how does one get to run "certmgr.msc" without typing it out and running
> it from the command line? I thought it would be some option under
> Administrative Tools, but I must be missing seeing it.
>
> And - thanks for your support and checking that out for me, Paul.
>
>

I found an entry in "Help and Support". Says to use Start:Run and
"mmc", then "Add/Remove Snapin", then click the "Add" button.
Certificates is an option there.

I looked in my Certificates, and I have two shown in "Untrusted"
that are marked "Fraudulent". The stuff you find lurking on
your computer :-) Good thing I don't use this computer for
serious work.

Paul

Paul wrote:
> Bill in Co. wrote:
>> Paul wrote:
>>> Bill in Co. wrote:
>>>> Is there any way to disable WinXP's built-in digital signature
>>>> verification
>>>> for executable files (not just the drivers thing)? I've already
>>>> tried
>>>> various options under certificates, including updating the root
>>>> certificates, etc), to no avail, and have searched quite a bit on the
>>>> net
>>>> for any possible ideas. I've got a trial shareware program
>>>> (VinylStudio)
>>>> that indicates "the certificate is not valid"(etc), but I know this
>>>> isn't
>>>> really true. Even after updating my root certificates, it still
>>>> complains
>>>> about that, and it won't run (it crashes with an error that the file is
>>>> corrupt, and should be redownloaded - I've done that several times).
>>>> If
>>>> you
>>>> look at it under Properties it complains about the certificate not
>>>> being
>>>> valid, or "is not valid for the requested usage" (etc), which is
>>>> nonsense.
>>>>
>>>> Actually, I think the best solution would be to strip out this runtime
>>>> digital signature thing from the program exe file, if possible, so at
>>>> least
>>>> I could try and run it. And if the program is useful, I could then
>>>> purchase the full version of it, instead of the trial. As it is now,
>>>> I
>>>> can't even do that.
>>>>
>>> It is probably best to talk to Alpinesoft and get their opinion on
>>> what to do.
>>>
>>> *******
>>> I tried downloading the package here. There is a button in the
>>> middle of this page.
>>>
>>> http://www.alpinesoft.co.uk/VinylStudio/download.aspx
>>>
>>> The downloaded package is 3,118,168 bytes and the
>>> MD5SUM of the whole file is
>>>
>>> 5bea795bb31858591ee10a1f8b295e11 *vsinstall.exe
>>>
>>> By providing that info, I'm assuming download packages
>>> are not customized for each download done.
>>>
>>> If I unpack that download with 7zip, I can see
>>> at least two files which are signed. The
>>> setup.exe file, and the vinylstudio.exe file.
>>> When I do Propertiesigital Signaturesetails, Windows indicates
>>>
>>> "This digital signature is OK"
>>>
>>> The Certificate used for signing says
>>>
>>> Issued to: Alpinesoft
>>> Issued by: UTN-USERFirst-Object
>>> Valid from: 5/31/2008 to 6/1/2009
>>
>> And my problem was with that certificate, which I've just "fixed".
>> ("Enable
>> all services" for this certificate was not checked, and needed to be).
>>
>>> I'm running WinXP SP3, with no additional certificates added.
>>>
>>> I didn't try to install the software.
>>>
>>> Have you, by chance, disabled some item in Services, which
>>> is critical to getting signing to work ? Check out the
>>> description of "Cryptographic Services" in
>>> Control Panels:Administrative Tools:Services.
>>>
>>> Paul
>>
>> No, I hadn't disabled some item in services, but what I *did* find is
>> that
>> after running "certmgr.msc", that one of the cerficates (mentioned above)
>> did not have its service enabling options checked, which was kinda weird.
>>
>> BTW, how does one get to run "certmgr.msc" without typing it out and
>> running
>> it from the command line? I thought it would be some option under
>> Administrative Tools, but I must be missing seeing it.
>>
>> And - thanks for your support and checking that out for me, Paul.
>>
>>
>
> I found an entry in "Help and Support". Says to use Start:Run and
> "mmc", then "Add/Remove Snapin", then click the "Add" button.
> Certificates is an option there.

OK. Interesting. Thanks.

> I looked in my Certificates, and I have two shown in "Untrusted"
> that are marked "Fraudulent". The stuff you find lurking on
> your computer :-) Good thing I don't use this computer for
> serious work.
>
> Paul

I saw those two, too. I think it's because they expired in 2002 (IIRC),
but I'm not positive.

"Bill in Co." <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> BTW, how does one get to run "certmgr.msc" without typing it out
> and running it from the command line? I thought it would be some
> option under Administrative Tools, but I must be missing seeing
> it.
>

Try:

Control Panel -> Internet Options -> Content (Tab) -> Certificates.

Not exactly the same thing... more like a different view of the same
thing.

HTH,
John

Paul <(E-Mail Removed)> wrote in
news:grv2kr$78r$(E-Mail Removed):

> I looked in my Certificates, and I have two shown in "Untrusted"
> that are marked "Fraudulent". The stuff you find lurking on
> your computer :-) Good thing I don't use this computer for
> serious work.
>

There was a big to-do about that several years ago. It appears that
Verisign signed & certified two certificates for Microsoft that
actually turned out to be from someone that wasn't Microsoft. At the
time, Microsoft had no mechanism to handle this eventuality. It wasn't
long before they fixed that. This is how it was done.

HTH,
John

From 2001:
"VeriSign issues fraudulent Microsoft code-signing certificates"
<http://www.networkworld.com/news/2001/0322vsign.html>

John Wunderlich wrote:
> Paul <(E-Mail Removed)> wrote in
> news:grv2kr$78r$(E-Mail Removed):
>
>> I looked in my Certificates, and I have two shown in "Untrusted"
>> that are marked "Fraudulent". The stuff you find lurking on
>> your computer :-) Good thing I don't use this computer for
>> serious work.
>>
>
> There was a big to-do about that several years ago. It appears that
> Verisign signed & certified two certificates for Microsoft that
> actually turned out to be from someone that wasn't Microsoft. At the
> time, Microsoft had no mechanism to handle this eventuality. It wasn't
> long before they fixed that. This is how it was done.
>
> HTH,
> John
>
> From 2001:
> "VeriSign issues fraudulent Microsoft code-signing certificates"
> <http://www.networkworld.com/news/2001/0322vsign.html>

Interesting. So it wasn't just the expiry dates! How could Verisign
screw up like that. On second thought, nevermind. :-)

John Wunderlich wrote:
> "Bill in Co." <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>> BTW, how does one get to run "certmgr.msc" without typing it out
>> and running it from the command line? I thought it would be some
>> option under Administrative Tools, but I must be missing seeing
>> it.
>>
>
> Try:
>
> Control Panel -> Internet Options -> Content (Tab) -> Certificates.
>
> Not exactly the same thing... more like a different view of the same
> thing.
>
> HTH,
> John

I had seen that one too, but didn't realize you could get access to editing
the certificate properties in there too. But as you say, it's a somewhat
different view.