Windows 10: SHA-1 Deprecation Update

Source: SHA-1 Deprecation Update | Microsoft Edge Dev Blog

:)

 

Downloading file.exe

Since this only recently started with your other Windows 10 system, I suspect that Microsoft only just finally enabled the detection of these SHA-1 signed files, quite possibly in the recent Windows 10 Anniversary update or at least the IE11 updates that
were included within it.

So if you had installed the update on one system and not the Surface Pro 4, this might explain the difference, since my own system I was using to test here is actually running Windows 8.1 and apparently has also received an update which generates that same
corrupt or invalid message you received.

Looking around, I just found another Web Developer blog article that discusses the SHA-1 deprecation roadmap. Though this doesn't specifically mention how files containing digital signatures will be handled, I suspect that the effects on SSL certificates
using SHA-1 and those for file downloads when using IE11 would be quite similar.

An update to our SHA-1 deprecation roadmap

From the comments in this and another earlier blog article I can see that even the more technically knowledgeable web developers in these discussions have questions and see potential problems with this deprecation. One of these is that older Windows XP
and Server 2003 systems don't support the new SHA-2 or other algorithms, so these will permanently break when software or web pages containing these are accessed.

So this migration from SHA-1 to SHA-2 may be far more disruptive then Microsoft expected for those with outdated software, servers and client systems.

Rob

 

Downloading file.exe

This is a relatively complex issue caused by the fact that the code signing certificate used by the SMA Solar Technology AG to digitally sign their software was issued in 2012.

This was prior to the date that Microsoft and Google both declared they would stop trusting the SHA-1 Signature hash algorithm due to the fact that using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform
phishing attacks, or perform man-in-the-middle attacks.

Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Since the certificate used by SMA was issued by COMODO and is itself still valid, the error isn't displayed within the certificate dialogs when inspecting the Digital Signature of the file. Instead, an error message is displayed by the Internet Explorer
11 download dialog when the file is examined at the completion of the download process. At this point the file integrity is verified using the certificate and digital signature information embedded in the executable file, which since it contains a now untrusted
SHA-1 signed certificate, is flagged as invalid due to the deprecated (e.g. untrusted) SHA-1 signature type.

The only true resolution is for the SMA Solar Technology AG company's developer to re-compile and sign this executable file with a newer SHA-2 or other currently trusted Signature hash algorithm. To do this they'll first need to acquire an updated certificate
package from COMODO that removes the deprecated SHA-1 and adds the SHA-2 algorithms per this information from COMODO.

Important change announcement - deprecation of SHA-1

I know this is a more complex answer than you were looking for, but I've written this to aid both the SMA and possibly other small developers having such problems in understanding the issue and what they need to do to resolve it. Clearly SMA is either unaware
of the issue or simply hasn't dealt with it since this deprecation by Microsoft officially took effect as of Jan 1st, 2016 per both of the reference pages above.

Whether you choose to ignore this corrupt or invalid signature error message and use the file anyway is up to you. Since you can't be certain of the file's integrity (e.g. insurance that it's malware free and not truly corrupted), this could be a potentially
dangerous choice. Contacting the company and informing them of the above by providing a link to this thread will aid both you and others if that gets them to fix this real problem of outdated certificate use by their software developer.

Rob