Offline Installers: Invalid Digital Signatures

Report · Jun 20, 2017

Hi,

OS: Vista x86 HP.

The offline installers on the Installation Help Page are reporting Invalid Digital Signatures. Been like this for the last 2 releases (26.0.0.131, 26.0.0.126).

https://s30.postimg.org/a4qfvg8sh/Untitled1.jpg

Report · Jun 20, 2017

This is due to the files being signed with a sha256 digital certificate that Windows XP no longer supports.

Report · Jun 20, 2017

Thank you for the reply, m_vargas.

System is Vista x86 SP2 HP.

There wasn't any problem with the cert on FP 25.0.0.171 which is also signed with a sha256 digital certificate,

https://s16.postimg.org/8andmzg85/Untitled.jpg

Report · Jun 22, 2017

In this instance, it's an expansion of the use of SHA-256 within the signing pipeline that Vista doesn't appear to support.

The bottom line is that we're at an inflection point in the evolution of commercial cryptography support where we have to move our technology choices forward in order to be considered trustworthy by modern operating systems.

This means that we will ultimately need to choose between legacy operating systems at or near the end of their support life, or we have to completely bifurcate support in order to sequester the insecure legacy environments, which become increasingly vulnerable to proven cryptographic attacks, as research moves beyond proving theory to building efficient, practical attacks. Evolution in cryptography is nothing new, and this kind of change has played out many times over the years. History provides an effective guide for how it will ultimately play out, and practical attacks against SHA-1 are within reach at this point.

We have not reached a decision at this point as to whether to undertake the expense and risk of bifurcating our distribution infrastructure to support a less secure, legacy pipeline, for the sole sake of continuing to support WinXP (Vista adoption is miniscule in comparison, and a no-brainer taken on it's own).

Regardless, barriers to continuing to run trailing-edge operating systems on the modern web will be met with ever-increasing amounts of friction and risk, as you miss out on the benefits of 10-15 years of security research, which are frankly necessary in the context of the modern Internet.

If you're cost sensitive and/or cannot afford to upgrade to a modern operating system, modern Linux distributions like Mint Linux offer a free solution that includes modern operating system level security mitigations and cryptography support. If you prefer Windows or Macintosh, a decent entry-level Win10 laptop can be had in the $400 range, a decent entry-level Chromebook will run you about $250, and if you'd prefer an inexpensive alternative to retail Apple prices, Walmart sells refurbished Apple products through their website at a wide range of ages and prices.

Report · Jun 22, 2017

Did you try installing this patch from Microsoft?

You cannot run an application that is signed with a SHA-256 certificate on a computer that is runnin...

Report · Jun 29, 2017

Apologies @All for my late reply. My own research led me to the article below, which explained the situation quite well.

https://portableapps.com/news/2015-03-24--re-releasing-some-apps-due-to-vista-and-xp-digital-signatu...

I went ahead and installed FP v.26.0.0.131 without any problems.

Thank you all for your help.

@ jeromiec83223024, thanks for such a lengthy, informative reply .

@sdfox7, yes, I have that update installed, thanks .

regards.

Adobe Community

Offline Installers: Invalid Digital Signatures

1 Correct answer