Why signing works but signing verification doesn't ?
signtool sign /v /ac comodorsacertificationauthority_kmod.crt /tr http://timestamp.comodoca.com/rfc3161 mydriver.sys
The following certificate was selected:
Issued to: Company, Inc
Issued by: COMODO RSA Extended Validation Code Signing CA
Expires: >..
SHA1 hash: ....
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: COMODO RSA Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon Apr 12 01:16:20 2021
SHA1 hash: 106870659C069F248C8C0A05ACD871CABEB3CC38
Issued to: COMODO RSA Extended Validation Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon Dec 03 02:59:59 2029
SHA1 hash: 351A78EBC1B4BB6DC366728D334231ABA9AE3EA7
Issued to: Company, Inc
Issued by: COMODO RSA Extended Validation Code Signing CA
Expires: ...
SHA1 hash: ...
Done Adding Additional Store Successfully signed: mydriver.sys
signtool verify /v /kp mydriver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 1EDBB6F9354413D1B0F1696BF713281954F75130
Signing Certificate Chain:
Issued to: COMODO RSA Certification Authority
Issued by: COMODO RSA Certification Authority
Expires: Tue Jan 19 02:59:59 2038
SHA1 hash: AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Issued to: COMODO RSA Extended Validation Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon Dec 03 02:59:59 2029
SHA1 hash: 351A78EBC1B4BB6DC366728D334231ABA9AE3EA7
Issued to: MyCompany, Inc
Issued by: COMODO RSA Extended Validation Code Signing CA
Expires: ...
SHA1 hash: ...
The signature is timestamped: Thu Oct 25 16:17:01 2018
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-1 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 03A5B14663EB12023091B84A6D6A68BC871DE66B
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
Maybe you should use verify /ds 1 /v?? Where /ds 1 is index 1, not 0?
https://learn.microsoft.com/en-US/dotnet/framework/tools/signtool-exe
Related
I get a Ev Code sign in Cloud from Certum. And with the SimplySign app, I do not need to get the USB disk.
But when sign with the cert, An error occurs:
SignTool.exe sign /ac "Certum Trusted Network CA.crt" /sha1 afdd9e4c718b41fb7981ee32c55837035bdb9abe /t http://time.certum.pl /fd sha256 /v dmfs.sys
The following certificate was selected:
Issued to: Beijing Healthy Hailstone Technology Co., Ltd.
Issued by: Certum Extended Validation Code Signing CA SHA2
Expires: Sat Dec 12 19:28:35 2020
SHA1 hash: AFDD9E4C718B41FB7981EE32C55837035BDB9ABE
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 21:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Certum Trusted Network CA
Issued by: Microsoft Code Verification Root
Expires: Fri Apr 16 04:25:34 2021
SHA1 hash: 55435515FDD2486575FDC5CF3BAD00C913123D03
Issued to: Certum Extended Validation Code Signing CA SHA2
Issued by: Certum Trusted Network CA
Expires: Tue Jan 19 19:55:39 2027
SHA1 hash: BC432D6E675FF26B7BA71C24EA469A7D5457C745
Issued to: Beijing Healthy Hailstone Technology Co., Ltd.
Issued by: Certum Extended Validation Code Signing CA SHA2
Expires: Sat Dec 12 19:28:35 2020
SHA1 hash: AFDD9E4C718B41FB7981EE32C55837035BDB9ABE
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146893792/0x80090020)
Under the condition, I do not know how to process the error. And Why it occurs.
Is any idea?
When I try to install my device driver, I get the
"Program Compatibility Dialog"
A digitally signed driver is required : Process Detection Driver Cetrus. Windows blocked the installation of a digitally unsigned driver. Uninstall the program or device that uses the driver and check the publisher's website for a digitally signed version of the driver.
My driver is signed:
Verifying: PDetect64.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 039DFBD6C922B86BC9D8E2ABF9AADAB800ABE21E
Signing Certificate Chain:
Issued to: AddTrust External CA Root
Issued by: AddTrust External CA Root
Expires: Sat May 30 03:48:38 2020
SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 03:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 16:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Cetrus LLC
Issued by: COMODO RSA Code Signing CA
Expires: Sun May 26 16:59:59 2019
SHA1 hash: 647ACC3A5A36302E3A096F05595FD94EF8ED530D
The signature is timestamped: Fri May 26 10:58:35 2017
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 11:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-1 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 11:40:36 2019
SHA1 hash: 03A5B14663EB12023091B84A6D6A68BC871DE66B
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: AddTrust External CA Root
Issued by: Microsoft Code Verification Root
Expires: Tue Aug 15 13:36:30 2023
SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 03:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 16:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Cetrus LLC
Issued by: COMODO RSA Code Signing CA
Expires: Sun May 26 16:59:59 2019
SHA1 hash: 647ACC3A5A36302E3A096F05595FD94EF8ED530D
Successfully verified: PDetect64.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Can somebody help with how to go about figuring out why Windows 10 thinks this is an unsigned driver?
What specific version of Windows 10 you are running? Starting with new installations of Version 1607 of Windows 10, Windows not load any new kernel mode drivers which are not signed by the Dev Portal. For more details, see https://learn.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-
The ONLY way is to sign the driver with an EV code signing certificate.
I have two driver files which appear to have been singned properly:
bobbarker#bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$ ./SignTool.exe verify /kp /v /ph /d truecrypt.sys
Verifying: truecrypt.sys
Hash of file (sha1): 8562AC6F95298C1904DFC0B579C51CBB414D13C9
Signing Certificate Chain:
Issued to: AddTrust External CA Root
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 18:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Jason Pyeron
Issued by: COMODO RSA Code Signing CA
Expires: Wed Sep 16 18:59:59 2015
SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4
The signature is timestamped: Tue Dec 30 00:29:01 2014
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 18:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Wed Dec 30 18:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Tue Dec 29 18:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 08:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: AddTrust External CA Root
Issued by: Microsoft Code Verification Root
Expires: Tue Aug 15 15:36:30 2023
SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 18:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Jason Pyeron
Issued by: COMODO RSA Code Signing CA
Expires: Wed Sep 16 18:59:59 2015
SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4
Successfully verified: truecrypt.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
bobbarker#bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$ ./SignTool.exe verify /kp /v /ph /d truecrypt-x64.sys
Verifying: truecrypt-x64.sys
Hash of file (sha1): 5B9B534E682A8768F404B1A1CBFD9ACC98B8E195
Signing Certificate Chain:
Issued to: AddTrust External CA Root
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 18:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Jason Pyeron
Issued by: COMODO RSA Code Signing CA
Expires: Wed Sep 16 18:59:59 2015
SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4
The signature is timestamped: Tue Dec 30 00:28:52 2014
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 18:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Wed Dec 30 18:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Tue Dec 29 18:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 08:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: AddTrust External CA Root
Issued by: Microsoft Code Verification Root
Expires: Tue Aug 15 15:36:30 2023
SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 18:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Jason Pyeron
Issued by: COMODO RSA Code Signing CA
Expires: Wed Sep 16 18:59:59 2015
SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4
Successfully verified: truecrypt-x64.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
bobbarker#bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$
But when I try to install them I get the dredded error:
Windows cannot verify the digital signature for this file. A recent
hardware or software change might have installed a file that is signed
incorrectly or damaged, or that might be malicious software from an
unknown source.
I have posted the files in question, along with the relevant certs. I create the files using the following command:
for i in *.sys; do
cp "$i" "$i".presignbak && \
/cygdrive/c/WinDDK/7600.16385.1/bin/amd64/SignTool.exe sign /v /ac AddTrust_External_CA_Root-srosssigned-by-Microsoft.crt /f signkey.pfx /p password /t http://timestamp.verisign.com/scripts/timstamp.dll "$i" ;
done
My cert uses Signature Algorithm: sha256WithRSAEncryption
What should I try next?
It turns out that Microsoft does not support SHA-2 for driver signing on Windows 7.
In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.
Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256. You can use the same certificate for both signatures, or you can use separate certificates. Here are the steps to create the two signatures using Visual Studio.
Could be that your Windows PC hasn't the same CA root installed than the machine you used to sign & verify?
Check if the listed CAs in the certificate chain are correctly installed (Run > mmc) where you are trying to install.
I have a signed and cross-signed driver:
C:\ElectricEye\drv_win7_amd64\amd64>SignTool verify /v /kp hlwd.sys
Verifying: hlwd.sys
Hash of file (sha1): B1123F97399CE42715D131EEAF385548D872BA4D
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 23:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Primary Intermediate Object CA
Issued by: StartCom Certification Authority
Expires: Wed Oct 25 02:03:55 2017
SHA1 hash: 660746026115B8DF862C4F5CF1C51508E96E33D0
Issued to: Onmoon Company LLC - " "
Issued by: StartCom Class 3 Primary Intermediate Object CA
Expires: Sat Oct 22 03:51:20 2016
SHA1 hash: 875C77748516F09C663C2F4F0CF9C60C68910017
The signature is timestamped: Wed Oct 23 16:37:03 2013
Timestamp Verified by:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 23:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Time-Stamping Authority
Issued by: StartCom Certification Authority
Expires: Mon Feb 01 03:59:59 2021
SHA1 hash: 962FDDD76C6145ADAFA5E9AD98E3020D0821DD81
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 17:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: StartCom Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Fri Apr 16 00:23:19 2021
SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17
Issued to: StartCom Class 3 Primary Intermediate Object CA
Issued by: StartCom Certification Authority
Expires: Wed Oct 25 02:03:55 2017
SHA1 hash: 660746026115B8DF862C4F5CF1C51508E96E33D0
Issued to: Onmoon Company LLC - " "
Issued by: StartCom Class 3 Primary Intermediate Object CA
Expires: Sat Oct 22 03:51:20 2016
SHA1 hash: 875C77748516F09C663C2F4F0CF9C60C68910017
Successfully verified: hlwd.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
I'm trying to install it with
sc create hlwd binPath= C:\ElectricEye\drv_win7_amd64\amd64\hlwd.sys type= kernel
The installation finishes successfully, but the driver does not load and after a few seconds an error message appears with "Unsigned driver" error.
Audit reports invalid file hash.
Does this mean some kind of signing failue or just Windows 7 drivers can not be installed with sc?
Solved!
Hope you guys can help!
First off. I have gone through every article I could find at SO, as well as MSDN, etc.
I am trying to sign an installshield exe.
I have a godaddy code signing certificate, and have no problem signing the certificate at all. What I do have an issue with is no matter what I do, I get Publisher Unknown on every other computer.
See output below.
Bottom line: I get no issues signing the cert, but cannot remove the unknown publisher error during the UAC Prompt (The test computers have internet access)
Also: If I omit the /kp option on verify I get: SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Final update:
If I run verify /pa /v temp\setup.exe I get success on the verify, but still an error on the Unknown publish. The /kp option was used incorrectly on this sign.
Steps:
%SIGNTOOL% sign /v /ac %BUILDROOT%%CERTPATH%%MSCERT% /f %BUILDROOT%%CERTPATH%%CERT% /p %CERTPW% /n "%COMPANY%" /t %TIMESTAMP% %BUILDROOT%%TEMPPATH%\setup.exe
Output:
The following certificate was selected:
Issued to: %COMPANY NAME%
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Jun 22 14:07:27 2013
SHA1 hash: 612A38DDED199101442B09D884ED718BBE00D252
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 16:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 03:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: %COMPANY NAME%
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Jun 22 14:07:27 2013
SHA1 hash: 612A38DDED199101442B09D884ED718BBE00D252
Done Adding Additional Store
Successfully signed and timestamped: c:\build\temp\setup.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Verify:
Verifying: c:\build\temp\setup.exe
Hash of file (sha1): 62F814EFC81400AD938AB9D9D49B36F7175A098A
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 19:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 03:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: %COMPANY NAME%
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Jun 22 14:07:27 2013
SHA1 hash: 612A38DDED199101442B09D884ED718BBE00D252
The signature is timestamped: Sun Jun 24 09:57:57 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 19:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Tue Dec 03 19:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Mon Dec 31 19:59:59 2012
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 16:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 03:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: %COMPANY NAME%
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Jun 22 14:07:27 2013
SHA1 hash: 612A38DDED199101442B09D884ED718BBE00D252
Successfully verified: c:\build\temp\setup.exe
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Solved!
The issue was the MSI inside the exe installer. The setup.exe file was signed, but when the msi inside was extracted and ran, that file was not signed. Signed both, and the error went away!!!