Update.exe Blocked; Invalid Signature
Hi,
I have a fleet of machines running version 15.2.2756 of the TeamViewer application. When attempting to update to 15.31.5 the executable is blocked, flagged as not having a valid signature. The units I'm working with currently are in staging so no AV has been set up and we have Windows Defender disabled to prevent it blocking some of our staging scripts, so I'm kind of at a loss. Has anyone else run into this, and if so, have you found a way to resolve this? Let me know.
Thank you,
nbat92
Best Answer
-
Hello everyone,
Thanks for your patience in this matter.
We wanted to provide a more in-depth answer coinciding with my last response and resolution for this issue. Please find below more detailed information on the matter:
A brief overview
A 3072-bit RSA key is now required for code-signing certificates issued by DigiCert.
The newly compliant DigiCert certificate chain covers all the latest certificates, including the DigiCert code signing certificate used by TeamViewer. This new certificate is used by TeamViewer to sign the binary files that are downloaded from its platform. By verifying the digital signature, it ensures that the file originated from TeamViewer, and that it has not been tampered with in any way.
It is also significant to note that the use of the time-stamping service proves that the digital signing certificate was valid at the time the binary was signed. This means that the certificate has not been revoked since then. For time-stamping, DigiCert has provided a new certificate. This certificate is signed by a different root certificate than what was used in previous versions of TeamViewer for Windows. There is a new Certificate authority, with the name 'DigiCert Trusted Root G4'.
📌Note: The root certificate was released in 2013, which means if you have enabled Windows Update at any point in the past, you might already have it.
Impacted functions
In the absence of DigiCert Trusted Root G4 certificate, a fresh installation of the TeamViewer Client, as well as an update, will fail:
- As part of the installation, the digital signature of the binary is validated prior to initialization as part of integrity verification. In the absence of the DigiCert Trusted Root G4 certificate, the digital signature validation fails, and the installation process produces following error message:
- As part of the update, the digital signature of the binary is also validated prior to initialization as part of integrity verification. In the absence of the DigiCert Trusted Root G4 certificate, the digital signature validation fails, and the installation process produces following error message:
In the TeamViewer logfiles (<TeamViewer installation path>/ TeamViewer15_Logfile.log), the following error appears:
2022/07/26 09:25:03.698 9148 6288 G1!! VerifyTeamViewerSignature() : WinVerifyTrust failed, result=800b0004, Errorcode=2148204816
Verify that the Digicert G4 Root Certificate is available on the asset
The following command can be used to determine whether the certificate is available on the asset:
Get-ChildItem “cert:\” -Recurse | Where-Object { $_.Thumbprint -eq “ddfb16cd4931c973a2037d3fc83a4d7d775d05e4” } | Format-List📌Note: PowerShell version required is 2.0 or later.
- If the certificate is available: the thumbprint in the output will be:
DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.
- If no certificate is found: No output will be produced
Install the certificate manually
The following command can be used to manually update the certificate (as long as an internet connection is active):
certutil -urlcache -f https://cacerts.digicert.com/DigiCertTrustedRootG4.crt DigiCertTrustedRootG4.crt
The DigiCert Trusted Root G4 certificate can be downloaded and added to the certificate store using the following command:
certutil -addstore -f root DigiCertTrustedRootG4.crt
If there are any questions or concerns, please do not hesitate to reach out here again.
Josh P.
Senior Community Moderator
---
10
Answers
-
Hello @nbat92
Thank you for your patience.
Our team would like a little more information regarding the devices affected, to assist in investigation.
Could you please let us know the specific OS version of the devices affected?
Could you please let us know if the affected devices are missing any important OS updates?
Thanks in advance!
Josh P.
Senior Community Moderator
---
0 -
Hi Josh,
We currently support Windows 10 Enterprise LTSC version 1809, build number 17763.2237. If you'd like I'll pull whatever certificate information I can to help get to the bottom of this. All devices I've encountered this on have been from the 28th on and report that the digital signature certificate is "not valid for the requested usage". If there's anything else you'd like me to try I'll do what I can.
Thank you,
nbat92
1 -
Thanks for the quick reply!
I've forwarded this information, and will let you know if we need any further info.
As earlier, I will update this thread as well once resolved.
Thanks again!
Josh P.
Senior Community Moderator
---
0 -
I'm experiencing this as well. Windows 11 21H2, fully patched, no AV. Moving from Teamviewer 15.18.5
0 -
Windows 11 Enterprise 21H2 Build 22000.675
0 -
Same problem on win 10 IoT when doing remote update.
I wonder if the problem is due to 15.2.2756 or 15.31.5?
I hope this can be solved before we have to update Teamviewer on 500+ pc's on trucks scattered over Scandinavia.
0 -
Hello @MAS_GlendaleAZ & @Kristian_C1
Thank you for the additional information.
I have forwarded this information internally as well - the investigation for an overall resolution is in progress.
I will update you all in this thread as soon as I can.
Thanks for your help, understanding, and your patience.
Josh P.
Senior Community Moderator
---
2 -
Hello all,
Thank you for your patience in this matter.
Our development team is still investigating the issue, but has provided a current resolution to allow the updating of the affected devices.
The issue appears to stem from a specific root certificate; a similar issue was found with some other software as well:
As mentioned in the above article:
All public Certificate Authorities, including DigiCert are deprecating older root CA certificates to be compliant with evolving industry standards like Certification Authority Browser Forum.
Therefore, if the correct certificate are updated, the installations should go through with no issue. The above article provides some methods of deployment for this specific certificate.
Please find below Microsoft's instructions as well for mass deployment updates of certificates:
I hope this helps! Please let us know if you have any questions, or should the issue persist.
Have a great weekend 🌴
Josh P.
Senior Community Moderator
---
0 -
Any update on this issue? Thus far, there are two constants:
- This issue only happens when deploying TeamViewer on a remote system via Files & Extras -> Install -> Install default TeamViewer.
- This issue only happens on new Windows 11 Professional stations.
This still appears to be an outstanding issue as of today, 7/19/2022. v15.31.5 for TeamViewer on our station.
Previous versions of TeamViewer do not appear to exhibit this issue, nor do versions of Windows other than Windows 11.
UTA 7/19/2022 @ 2:58 PM Eastern -- Deploying via QuickStart on a Windows 10 Professional system exhibits the same issue. Looks like TeamViewer development has identified the issue, but I wanted to UTA Windows 10.
UTA 7/19/2022 @ 3:05 PM Eastern -- Updating to add what the workaround is. The issue exists in the portable .exe -- a.k.a QuickStart. If you're able to access the system remotely via another tool, installing the standard TeamViewer_Setup.exe allows configuration of TeamViewer for unattended access.
0 -
Hello everyone,
Thanks for your patience in this matter.
We wanted to provide a more in-depth answer coinciding with my last response and resolution for this issue. Please find below more detailed information on the matter:
A brief overview
A 3072-bit RSA key is now required for code-signing certificates issued by DigiCert.
The newly compliant DigiCert certificate chain covers all the latest certificates, including the DigiCert code signing certificate used by TeamViewer. This new certificate is used by TeamViewer to sign the binary files that are downloaded from its platform. By verifying the digital signature, it ensures that the file originated from TeamViewer, and that it has not been tampered with in any way.
It is also significant to note that the use of the time-stamping service proves that the digital signing certificate was valid at the time the binary was signed. This means that the certificate has not been revoked since then. For time-stamping, DigiCert has provided a new certificate. This certificate is signed by a different root certificate than what was used in previous versions of TeamViewer for Windows. There is a new Certificate authority, with the name 'DigiCert Trusted Root G4'.
📌Note: The root certificate was released in 2013, which means if you have enabled Windows Update at any point in the past, you might already have it.
Impacted functions
In the absence of DigiCert Trusted Root G4 certificate, a fresh installation of the TeamViewer Client, as well as an update, will fail:
- As part of the installation, the digital signature of the binary is validated prior to initialization as part of integrity verification. In the absence of the DigiCert Trusted Root G4 certificate, the digital signature validation fails, and the installation process produces following error message:
- As part of the update, the digital signature of the binary is also validated prior to initialization as part of integrity verification. In the absence of the DigiCert Trusted Root G4 certificate, the digital signature validation fails, and the installation process produces following error message:
In the TeamViewer logfiles (<TeamViewer installation path>/ TeamViewer15_Logfile.log), the following error appears:
2022/07/26 09:25:03.698 9148 6288 G1!! VerifyTeamViewerSignature() : WinVerifyTrust failed, result=800b0004, Errorcode=2148204816
Verify that the Digicert G4 Root Certificate is available on the asset
The following command can be used to determine whether the certificate is available on the asset:
Get-ChildItem “cert:\” -Recurse | Where-Object { $_.Thumbprint -eq “ddfb16cd4931c973a2037d3fc83a4d7d775d05e4” } | Format-List📌Note: PowerShell version required is 2.0 or later.
- If the certificate is available: the thumbprint in the output will be:
DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.
- If no certificate is found: No output will be produced
Install the certificate manually
The following command can be used to manually update the certificate (as long as an internet connection is active):
certutil -urlcache -f https://cacerts.digicert.com/DigiCertTrustedRootG4.crt DigiCertTrustedRootG4.crt
The DigiCert Trusted Root G4 certificate can be downloaded and added to the certificate store using the following command:
certutil -addstore -f root DigiCertTrustedRootG4.crt
If there are any questions or concerns, please do not hesitate to reach out here again.
Josh P.
Senior Community Moderator
---
10
