🩹 Hotfix Release: v2026.07.0016
🆕 What's Fixed
Certificate Expiration Check Incorrectly Rejected Valid Older Installers
Problem: v2026.07.0015 added a hard certificate-expiration check to Verify-FileSignature:
if ($signature.SignerCertificate.NotAfter -lt (Get-Date)) {
return $false
}This rejected any Intel installer whose signing certificate has since expired — including installers that worked correctly in v2026.05.0014 and whose Authenticode signature is still cryptographically valid.
Root cause: Get-AuthenticodeSignature's $signature.Status already correctly evaluates signature validity, taking RFC3161 timestamping into account. A signature timestamped while the certificate was still valid remains authentic and trustworthy indefinitely, regardless of the certificate's current NotAfter date. The added raw NotAfter comparison duplicated — and incorrectly overrode — this logic, since it doesn't check whether the signature was timestamped, only whether the certificate is expired today.
Impact: Older Intel chipset installers with expired signing certificates (common for legacy chipset packages) were flagged as FAIL: Certificate expired and blocked from installing, even though the underlying INF files were fully valid and the signature chain was authentic.
Fix: Removed the manual NotAfter -lt (Get-Date) check entirely. Signature authenticity is now validated solely via:
- Signer identity match (one of the 3 recognized Intel certificate patterns, or the FirstEver.tech exception)
Get-AuthenticodeSignaturestatus (already timestamp-aware)- Signature algorithm check (SHA256 preferred, SHA1 accepted — warning only, non-blocking)
No other behavior from v2026.07.0015 was changed — EOL device handling, multi-signer support, the FirstEver.tech exception, credits/ads screen, and parser improvements are all unchanged.
🔧 Full Changelog
Core Updater (universal-intel-chipset-device-updater.ps1)
Signature Verification:
- Removed manual certificate expiration check (
SignerCertificate.NotAfter -lt Get-Date) fromVerify-FileSignature - Signature validity now relies on
Get-AuthenticodeSignature's timestamp-awareStatusfield, signer identity matching, and algorithm checks only
No changes to EOL parsing, database format, credits screen, or any other v2026.07.0015 functionality.
📋 Release Files
universal-intel-chipset-device-updater.ps1— Main updater script (v2026.07.0016)ChipsetUpdater-2026.07.0016-Win10-Win11.exe— Self-extracting package (includes updated script)intel-chipset-infs-latest.md— Unchanged from v2026.07.0015intel-chipset-infs-download.txt— Unchanged from v2026.07.0015
🔒 Security Notes
- This is a compatibility fix, not a weakening of security: rejected files were legitimate, unmodified Intel installers. Signature authenticity (signer identity + Authenticode status + algorithm) is still fully enforced — only the redundant/incorrect raw expiration comparison was removed.
📝 Notes
- Recommended for everyone on v2026.07.0015 who saw
FAIL: Digital signature verification - Certificate expired.for installers that previously worked in v2026.05.0014. - Backward Compatibility: Fully compatible with existing databases and installer packages; no database changes in this release.