Invalid Signature Message on MSI (Installer) Download

Is the MSI file Ok to use?

Yes. If you downloaded the file from our website, it is fine. It will install our program correctly with no problems. The browser message is simply saying the MSI file signature is invalid.

Why did I get this message for a Breakthru Software product?

We use a Microsoft tool to build our MSI files (product Installers). The tool signs our MSIs with a SHA-1 Microsoft certificate. Microsoft has not yet updated the tool with a new SHA-2 certificate. We (along with many other developers) are waiting for Microsoft to release the fix with a SHA-2 certificate.

Starting on Jan 1, 2016, Microsoft Trusted Root Certificate Program says that signing certificates with a SHA-1 signature will not be considered valid.

Warning Message

When downloading files from the Web, some browsers (but not all) will check the digital signature of the download file to see if it is valid. If the signature is not valid, you may get a warning message (Figure 1). The message will be similar to "The signature for this file is corrupt or invalid". At this time, the Edge browser seems to be the only browser flagging SHA-1 signatures.

What if the browser prevents me from downloading or installing the file?

1) If you have another browser installed, you can try downloading the file from that browser. Not all browsers check for file signatures.

2) If you don't have another browser installed, your browser is probably configured to prevent downloading or installing a file if it finds an invalid signature. To download the file anyway, go to the browser's Tools > Options and check the option that says 'Allow software to run or to install even if signature is invalid' (Figure 2). After the download, you can go back and reset the option.

As an additional precaution and for your peace of mind, you can scan the downloaded file with your anti-virus software. A good habit to cultivate regardless of whatever site you download from.