Invalid Digital Signatures on Windows XP

By /

SocketTools components and installers are digitally signed using an Authenticode certificate. On Windows XP and Windows Server 2003, the operating system reports the signature as invalid. This occurs because older versions of Windows do not support the SHA-256 algorithm used when timestamping the signature.

Important: This article provides information for a version of Windows which is no longer supported by SocketTools. The minimum required version is Windows 7 SP1 or Windows Server 2008 R2.

Authenticode is used on the Microsoft platform to digitally sign components, libraries and installer packages to assure users that the files have originated from an authenticated source and have not been modified. It was introduced with Windows 98 and digital signing originally used the MD-5 and SHA-1 cryptographic hashing algorithms. However, both of these algorithms are now considered insecure and their use with digital signatures has been deprecated.

Today, all digital certificates must be created using SHA-256 and in 2015, Microsoft announced that they were officially ending support for certificates which used the older, insecure algorithms. If you view the signature for one of our installers or components on Windows XP (by right-clicking on the file and selecting Properties › Digital Signatures › Details), you will see this warning:

An error showing the code signing certificate is invalid on Windows XP
Digital signature details on Windows XP

This error occurs because our components are countersigned using SHA-256 which is not supported on Windows XP. If you view the certificate itself, it shows the code signing certificate to be valid, but the algorithm used when timestamping the file is not recognized:

An error message indicating the digital signature algorithm is not recognized on Windows XP
Invalid algorithm error on Windows XP

Unfortunately, there is no work-around solution for this issue because even with dual-signed certificates (ones which use both SHA-1 and SHA-256), the last active timestamping services which supported SHA-1 were decommissioned in January, 2021. If you are still using Windows XP, you will need to setup exclusion rules for any security software which may flag our installers or components as invalid.

This problem does not occur on Windows 7 and Windows Server 2008 R2 and later platforms, all of which support secure digital signatures using SHA-256.

See Also

SocketTools System Requirements
Windows and Supported TLS Versions
Support for TLS 1.2 on Windows XP

Shopping Cart
Scroll to Top