Loading
search-img
Title
SHA-256 Certificates Will Not Validate On Vista/Server 2008 Machines

Summary

Installations that were created with InstallShield 2015 and signed with a SHA-256 certificate will not properly validate on Windows Vista/Server 2008.

Symptoms

Installations that were created with InstallShield 2015 and signed with a SHA-256 certificate will not validate on Windows Vista/Server 2008 properly. This causes the files/install to display the message, "This digital signature is not valid." in the Digital Signatures information on the Properties dialog on these Operating Systems only.
User-added image

Also, this can potentially cause the following installation error to occur under certain scenarios on the affected OSes. The possible error that may be encountered is:

Error 1330: A file that is required cannot be installed because the cabinet file <PATH_TO_CAB_FILE> has an invalid digital signature.

Cause

Starting January 1, 2016, Windows 7 and higher ( and its Windows Server counterparts) will no longer trust any code that is signed with a SHA-1 code signing certificate and that contains a timestamp value greater than January 1, 2016. This restriction will not apply to the timestamp certificate or the certificate?s signature hash until January 1, 2017, after which time, Windows will treat any SHA-1 timestamp or signature hash as if the code did not have a timestamp signature.

In light of this, InstallShield 2015 has revised the way it signs installation and files at build time in order to support signing with SHA-256 certificates. Additionally, InstallShield will automatically use a SHA-256 hash in the signature of the files that it signs at build time if the project has been configured to sign with a SHA-256 certificate. However, Windows Vista/Server 2008 machines will not properly validate files that have a SHA-256 hash in the signature.

Steps To Reproduce

  1. Create a new Basic MSI project.
  2. Add a file to the project.
  3. In the Releases view, add a new release.
  4. Select the Release and go to the Signing tab.
  5. Configure the release to sign setup.exe in the Sign Output Files option.
  6. Add a SHA-256 certificate either through the store or by browsing to the pfx file.
  7. Configure other certificate options such as the password for the certificate.
  8. Build the release.
  9. On a Windows 7/Server 2008 R2 machine or later, install the .cer file to the Trusted Root Certification Authorities.
  10. Right click the setup.exe, choose properties, and under the Digital Signatures tab, double click the signature.
  11. Verify that the Digital Signature Details dialog shows that "This digital signature is OK."
  12. Repeat steps 9-10 on a Windows Vista/Server 2008 machine. The Digital Signature Details dialog shows that "This digital signature is not valid."

Workaround

This issue is currently being tracked under issue #IOJ-1741079.

Currently, the workaround is to supply InstallShield 2015 with a SHA-1 certificate so that InstallShield signs the install with the SHA-1 hash or otherwise use an older version of InstallShield. Older versions of InstallShield will sign with a SHA-1 hash regardless of the hash of the certificate. In InstallShield 2015, the use of a SHA-1 certificate now triggers build warning -7346 to alert you about the SHA-1 usage.

Additional Information

For more information on the SHA-256 policy Microsoft is enforcing with Windows along with information on Windows Vista/Server 2008 requiring a SHA-1 signature, please refer to the following article: Windows Enforcement of Authenticode Signing and Timestamping

For more information on how InstallShield 2015 handles digital signing, please refer to the Support for SHA-256 Digital Certificates section of the InstallShield 2015 Release Notes
Was this helpful?
Support Hub
Create a case with Support
0/255
Upload Attachment
File Upload
Maximum file size allowed is 3 MB.
File type not supported.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)

Are you sure you want to cancel the case creation?

Are you sure you want to close this case

Get Hotline support
Products Region Phone Numbers
FlexNet Operations
FlexNet Embedded
FlexNet Publisher
FlexNet Connect
FlexNet Code Insight
InstallAnywhere
InstallShield 		North America  * +1 630-332-2513 (toll)
+1 877-279-2853 (toll-free in North America)
Europe  * +44 1925 944367 (toll)
+44 800 047 8642 (toll-free in Europe)
Japan  * +81 3-4540-5335 (select option 2)
Australia  * +61 3 9895 2177
+61 1800 560 603 (toll-free in Australia)
Usage Intelligence (formerly Revulytics)
Compliance Intelligence 		Please use the Case Portal to submit your support ticket or reach out to your Revenera contact.
Book an Appointment
File Upload
Maximum file size allowed is 3 MB.
File type not supported.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)
+1.800.374.4353
CONTACT US REVENERA.COM FLEXERA.com
© 2026 Flexera Software. All Rights Reserved.
Privacy policy Terms and conditions Flexera Community Contact Us
Loading
SHA-256 Certificates Will Not Validate On Vista/Server 2008 Machines