Revoked code signing certificate prevents installation on Win10

[frennkie]

I just downloaded Bitcoin Core for Windows 10 64bit but executing the installer fails with a UAC error message ("This app has been blocked for your protection"). The screen looks similar to this (can take a real screenshot in UAC):

I double checked and I have the correct file (according to the SHA256):

PS C:\Users\User\Downloads> Get-FileHash .\bitcoin-0.21.0-win64-setup.exe -Algorithm SHA256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          54050748EF4D4F000EA1ECE472491B3E5FD546EFC74ED52119354B2893F6624B      C:\Users\User\Downloads\bit...

I found out that the message from Windows appears when the is a problem with the code signing. I checked the certificate on the installer and really is listed as revoked - with the message: "This certificate was revoked by its certification authority."

[jarolrod]

This is being worked on, for now it is recommended to use the unsigned version: https://bitcoincore.org/bin/bitcoin-core-0.21.0/bitcoin-0.21.0-win64-setup-unsigned.exe

[brianddk]

Please verify your downloads using GPG

• Verify 0.21.0 Using GPG
• 0.21.0 Unsigned installer download to verify with GPG

[xavier2dc]

The signing certificate shows it was revoked on ‎Tuesday, ‎March ‎24, ‎2020. This seems back-dated. Normally, this happens when a publisher discovers a key compromise and wants to invalidate all binaries signed after the key was considered as compromised. Is it the case here?

I noticed the unsigned version was pushed on March 25, 2021, on the occasion of the signing certificate's expiration. That shouldn't be needed, as the installer was timestamped, therefore will remain valid despite the cert having expired. So, I don't see the connection between the expiration of the cert and its revocation effective a year earlier. Can someone clarify what's going on?

[achow101]

See also: bitcoin-core/gui#252

The certificate was revoked when I went to renew it. I think it was revoked because I asked for a renewal while the certificate was still valid, but I'm not sure. All I know is that on March 16th, when I purchased a renewal for the certificate, the current one was immediately revoked with a backdated revocation. The key was not compromised and the revocation was not requested. The revocation reason is not known.

Due to changes to the code signing certificate OV requirements, we have been unable to get a new code signing certificate in order to remedy this issue. That is currently being worked on, and we should be able to get a certificate soon. Once the new certificate is issued, all of the affected versions will be re-signed and re-released.

[ricardofavero]

Any news about this problem? I think this is preventing many users from installing.

[sipa]

It's being worked on, but it needs a lot of administration to get a new certificate.

[achow101]

We have a new certificate now so this can be closed.