Digital signature verification?

[Bill in Co.]

Is there any way to disable WinXP's built-in digital signature verification
for executable files (not just the drivers thing)? I've already tried
various options under certificates, including updating the root
certificates, etc), to no avail, and have searched quite a bit on the net
for any possible ideas. I've got a trial shareware program (VinylStudio)
that indicates "the certificate is not valid"(etc), but I know this isn't
really true. Even after updating my root certificates, it still complains
about that, and it won't run (it crashes with an error that the file is
corrupt, and should be redownloaded - I've done that several times). If you
look at it under Properties it complains about the certificate not being
valid, or "is not valid for the requested usage" (etc), which is nonsense.

Actually, I think the best solution would be to strip out this runtime
digital signature thing from the program exe file, if possible, so at least
I could try and run it. And if the program is useful, I could then
purchase the full version of it, instead of the trial. As it is now, I
can't even do that.

 

[Paul]

Is there any way to disable WinXP's built-in digital signature verification
for executable files (not just the drivers thing)? I've already tried
various options under certificates, including updating the root
certificates, etc), to no avail, and have searched quite a bit on the net
for any possible ideas. I've got a trial shareware program (VinylStudio)
that indicates "the certificate is not valid"(etc), but I know this isn't
really true. Even after updating my root certificates, it still complains
about that, and it won't run (it crashes with an error that the file is
corrupt, and should be redownloaded - I've done that several times). If you
look at it under Properties it complains about the certificate not being
valid, or "is not valid for the requested usage" (etc), which is nonsense.

Actually, I think the best solution would be to strip out this runtime
digital signature thing from the program exe file, if possible, so at least
I could try and run it. And if the program is useful, I could then
purchase the full version of it, instead of the trial. As it is now, I
can't even do that.

It is probably best to talk to Alpinesoft and get their opinion on
what to do.

*******
I tried downloading the package here. There is a button in the
middle of this page.

http://www.alpinesoft.co.uk/VinylStudio/download.aspx

The downloaded package is 3,118,168 bytes and the
MD5SUM of the whole file is

5bea795bb31858591ee10a1f8b295e11 *vsinstall.exe

By providing that info, I'm assuming download packages
are not customized for each download done.

If I unpack that download with 7zip, I can see
at least two files which are signed. The
setup.exe file, and the vinylstudio.exe file.
When I do Propertiesigital Signaturesetails, Windows indicates

"This digital signature is OK"

The Certificate used for signing says

Issued to: Alpinesoft
Issued by: UTN-USERFirst-Object
Valid from: 5/31/2008 to 6/1/2009

I'm running WinXP SP3, with no additional certificates added.

I didn't try to install the software.

Have you, by chance, disabled some item in Services, which
is critical to getting signing to work ? Check out the
description of "Cryptographic Services" in
Control Panels:Administrative Tools:Services.

Paul

 

[Bill in Co.]

It is probably best to talk to Alpinesoft and get their opinion on
what to do.

*******
I tried downloading the package here. There is a button in the
middle of this page.

http://www.alpinesoft.co.uk/VinylStudio/download.aspx

The downloaded package is 3,118,168 bytes and the
MD5SUM of the whole file is

5bea795bb31858591ee10a1f8b295e11 *vsinstall.exe

By providing that info, I'm assuming download packages
are not customized for each download done.

If I unpack that download with 7zip, I can see
at least two files which are signed. The
setup.exe file, and the vinylstudio.exe file.
When I do Propertiesigital Signaturesetails, Windows indicates

"This digital signature is OK"

The Certificate used for signing says

Issued to: Alpinesoft
Issued by: UTN-USERFirst-Object
Valid from: 5/31/2008 to 6/1/2009

And my problem was with that certificate, which I've just "fixed". ("Enable
all services" for this certificate was not checked, and needed to be).

I'm running WinXP SP3, with no additional certificates added.

I didn't try to install the software.

Have you, by chance, disabled some item in Services, which
is critical to getting signing to work ? Check out the
description of "Cryptographic Services" in
Control Panels:Administrative Tools:Services.

Paul

No, I hadn't disabled some item in services, but what I *did* find is that
after running "certmgr.msc", that one of the cerficates (mentioned above)
did not have its service enabling options checked, which was kinda weird.

BTW, how does one get to run "certmgr.msc" without typing it out and running
it from the command line? I thought it would be some option under
Administrative Tools, but I must be missing seeing it.

And - thanks for your support and checking that out for me, Paul.

 

[Paul]

And my problem was with that certificate, which I've just "fixed". ("Enable
all services" for this certificate was not checked, and needed to be).


No, I hadn't disabled some item in services, but what I *did* find is that
after running "certmgr.msc", that one of the cerficates (mentioned above)
did not have its service enabling options checked, which was kinda weird.

BTW, how does one get to run "certmgr.msc" without typing it out and running
it from the command line? I thought it would be some option under
Administrative Tools, but I must be missing seeing it.

And - thanks for your support and checking that out for me, Paul.

I found an entry in "Help and Support". Says to use Start:Run and
"mmc", then "Add/Remove Snapin", then click the "Add" button.
Certificates is an option there.

I looked in my Certificates, and I have two shown in "Untrusted"
that are marked "Fraudulent". The stuff you find lurking on
your computer Good thing I don't use this computer for
serious work.

Paul

 

[Bill in Co.]

I found an entry in "Help and Support". Says to use Start:Run and
"mmc", then "Add/Remove Snapin", then click the "Add" button.
Certificates is an option there.

OK. Interesting. Thanks.

I looked in my Certificates, and I have two shown in "Untrusted"
that are marked "Fraudulent". The stuff you find lurking on
your computer Good thing I don't use this computer for
serious work.

Paul

I saw those two, too. I think it's because they expired in 2002 (IIRC),
but I'm not positive.

 

[John Wunderlich]

BTW, how does one get to run "certmgr.msc" without typing it out
and running it from the command line? I thought it would be some
option under Administrative Tools, but I must be missing seeing
it.

Try:

Control Panel -> Internet Options -> Content (Tab) -> Certificates.

Not exactly the same thing... more like a different view of the same
thing.

HTH,
John

 

[John Wunderlich]

I looked in my Certificates, and I have two shown in "Untrusted"
that are marked "Fraudulent". The stuff you find lurking on
your computer Good thing I don't use this computer for
serious work.

There was a big to-do about that several years ago. It appears that
Verisign signed & certified two certificates for Microsoft that
actually turned out to be from someone that wasn't Microsoft. At the
time, Microsoft had no mechanism to handle this eventuality. It wasn't
long before they fixed that. This is how it was done.

HTH,
John

From 2001:
"VeriSign issues fraudulent Microsoft code-signing certificates"
<http://www.networkworld.com/news/2001/0322vsign.html>

 

[Bill in Co.]

There was a big to-do about that several years ago. It appears that
Verisign signed & certified two certificates for Microsoft that
actually turned out to be from someone that wasn't Microsoft. At the
time, Microsoft had no mechanism to handle this eventuality. It wasn't
long before they fixed that. This is how it was done.

HTH,
John

From 2001:
"VeriSign issues fraudulent Microsoft code-signing certificates"
<http://www.networkworld.com/news/2001/0322vsign.html>

Interesting. So it wasn't just the expiry dates! How could Verisign
screw up like that. On second thought, nevermind.

 

[Bill in Co.]

Try:

Control Panel -> Internet Options -> Content (Tab) -> Certificates.

Not exactly the same thing... more like a different view of the same
thing.

HTH,
John

I had seen that one too, but didn't realize you could get access to editing
the certificate properties in there too. But as you say, it's a somewhat
different view.