Potential misleading digitial signature warning with automatic updates

By Stephen Kellett
26 February, 2024

If you’ve installed any of our commercial tools (not evaluation versions) before January 26 2024, then enabled automatic updates and tried to update your software via the automatic software update mechanism you may have seen a warning about the downloaded software installer not being signed by Software Verify. This article is going to explain why you are shown this error message and what you can do about it.

What does it look like?

The warning message looks like this:

Missing digital signature warning dialog, shown during software update.

Why does this message get shown?

This message is shown because although the software installer is signed by Software Verify, the code signing certificate has changed, and our checks for the new code signing certificate fail because the certificate contains slightly different information compared to the previous certificate.

Some history: After a security breach where some code signing keys were stolen from nVidia and Github (and others, no doubt) the people that oversee code signing decided that the new regime for code signing would be different. No longer would you be able to purchase a code signing certificate for about $100, over the internet, then have the certificate on your own machines. The new regime is that you need to code sign via an online service, or purchase a USB token that holds your code signing certificate securely. This would prevent certificates from being stolen.

The USB token needs to be present to perform any code signing. It’s not a USB stick that you can read, so although you own the USB token and the certificate it holds, you can’t directly access the certificate. The USB token comes with some software that presents a password protected gateway between you and signing, and will lock itself forever if you present a bad password 10 times.

Why didn’t we test with the old certificate and the new certificate?

Our code signing certificate expired on 26 Jan 2024. We started the process of obtaining a USB token code signing certificate months ago. This process is time consuming, requires 3rd parties to vouch for our legitimacy, and costs about 20 times as much the previous method. Progress through the various stages of vetting and the releasing the certificate is, er, opaque. You have no idea what is happening, unless you ask, and even then you may not get a useful answer. You just have to wait. Not ideal :-).

We only received our USB token 3 days prior to the old code signing certificate expiring. We didn’t have enough time to test the new USB token, understand the differences in how the new digitial signatures differed from the previous digitial signatures and get a new software release out that would know the differences and not display the warning message above.

What can you do to resolve this?

Login to your user account at software verify (look at a recent software update email for details) and download the software from there.

Once installed you can start using software updates again as the new version knows what the new digital signatures look like.

 

Fully functional, free for 30 days