PRB: Signature Not Recognized for Self Extracting Executables

ID: Q167714

The information in this article applies to:

Microsoft Internet Explorer (Programming) versions 3.02, 4.0

SYMPTOMS

When downloading a signed self-extracting executable that worked fine in Internet Explorer 3.01, the following message appeared:

A Windows application is attempting to open or install the following software component:

SomeFile.exe

Please be aware that some files may contain viruses or otherwise harm your computer. This component has not been digitally "signed" by it's publisher. Do you wish to continue?

This self-extracting executable was packaged using a product from a third- party vendor such as InstallShield's PackageForTheWeb or Nico Mak's WinZip.

CAUSE

This message may be displayed when downloading a properly signed self- extracting executable file in Internet Explorer version 3.02 or higher. This is a result of a security fix made to Internet Explorer 3.02 or higher.

RESOLUTION

If your code is not affected by this fix, you need not take any action.

If you currently sign self-extracting executables packaged with products from InstallShield or Nico Mak Computing, you will need to do the following.

Download an updated version of their products, available today, from their Web sites. Please see http://www.installshield.com/pftw and http://www.winzip.com/wzse.htm,, respectively, for more information about InstallShield and Nico Mak's updated products.

Repackage your self-extracting executable using these updated products.

Re-sign your self-extracting executable using your current certificate and the current code signing tools, which are available in the ActiveX SDK at http://www.microsoft.com/gallery/tools/default.asp

If you currently package your executable using another vendor's product, please notify us through safecode@microsoft.com.

STATUS

This behavior is by design.

MORE INFORMATION

What code is affected?

This fix applies only to signed self-extracting executables created with tools from vendors such as InstallShield (PackageForTheWeb) and Nico Mak Computing (WinZip). Microsoft has worked with these vendors to make updated versions of their tools available.

What code is not affected?

No other types of signed code are affected. Self-extracting executables created with the Wise Installation System from GLBS are unaffected by this fix.

More details

The intent of this fix is to keep Internet Explorer and Microsoft Authenticode(TM) Technology a highly secure platform for executing downloaded code. When verifying the digital signature for signed self- extracting executables, previous versions of Internet Explorer did not take into consideration data that was referred to in the executables created by some vendors. To address this potential problem, Internet Explorer 3.02 or higher will not recognize the digital signature in the signed self-extracting executables described above, regardless of the browser's Safety Level. When a user downloads these signed self-extracting executables, Internet Explorer 3.02 will now bring up the "Potential Safety Warning" dialog box and treat the signed self-extractable executable as unsigned code.

Additional query words:


Keywords          : kb3rdparty kberrmsg kbinterop AXSDKCompDownload AXSDKCodeSign 
Version           : Win:3.02,4.0
Platform          : WINDOWS 
Issue type        : kbprb

Last Reviewed: May 7, 1999