Helping people with computers... one answer at a time.

Digital signatures are used to confirm the integrity of things from web sites to software. I'll look at what it means when software signatures "break".

My (free version) AVG software is warning me of several "broken digital signature(s)" on my computer. Why are these a problem?

They may not be.

I've seen several people wondering about this error that apparently started with a recent update to AVG.

It's possible that it's a false positive - an error that's not really an error.

It's also possible that AVG is checking something new that most anti-malware programs don't check and discovering something - something that might be true, but still not necessarily a problem.

Digital Signatures

First, we need to understand just a little about exactly what a digital signature is.

In short, it's an encrypted block of data that accompanies some other kind of data that when decrypted confirms two things:

"This might sound a little familiar, as it's very similar to ... an https secure connection."
  • the organization or person who created that other data is who they say they are

  • that other data has not been altered in any way since it was signed

The key technology used is called "public key encryption" - basically what is encrypted with one key of a specially created pair of keys can only be decrypted with the other. If you keep one of those private and the other public you can do things like validate the origin of signed data.

This might sound a little familiar, as it's very similar to (and often uses the same technology as) the encryption and verification that is performed when you use an https secure connection.

That'll be an important example in a moment as we look at what it means for a digital signature to "break".

Broken Digital Signature

"Break" is really the wrong term, but it's good enough to get the idea across. A digital signature doesn't really break; rather it fails to verify one of the things above, or fails to pass an additional test or two that might further confirm it's authenticity.

A digital signature can "break" in one of several ways:

  • the encrypted data fails to decrypt with the key that should match. This calls into question the authenticity of the signer.

  • the tests to confirm that the signed data has not changed fails. This could mean that the data has been tampered with after it was signed.

  • the data used to confirm that the signature is correct, the certificate, is "too old" - more on this below.

  • the certificate has been explicitly revoked and is no longer considered valid.

By far the third is the most common when visiting web sites using https. If you see "There is a problem with this website's security certificate" nine times out of ten the web site has simply failed to renew their certificate before the current certificate expired. That's more of an annoyance than a real security problem.

Digital Signatures, Software and Anti-malware Tools

Just like a website's "this is who I am" information can be signed as part of the https protocol, software can also be signed. ".exe", ".dll" and other file types used for software can be signed for security.

As you might imagine, this could be a good thing: a broken signature might detect that an executable file has been tampered with, or that it came from someone other than it claims. Either way, both good signs of a potential virus or other malware activity.

Unfortunately, just like https web sites, the most common cause for broken digital signatures in executables is ... out of date certificates. Rarely, if ever, is an out of data certificate a serious cause for alarm.

And yet, the anti-virus programs seem to be reporting these types of failures as equivalent in terms of threat.

They aren't.

Dealing With Broken Digital Signatures

Honestly, if no other errors are reported at the time, I'd be tempted to ignore broken digital signatures for the time being. While they've been around for a little while, there's been little penalty for getting them right. AVG, and hopefully other anti-malware manufactures will slowly start adding support for checking them, which in turn will motivate vendors to both use them, and make sure that they're used correctly.

One thing you can do - and this is, in part, an educated guess - is to make sure that you don't have any root certificate updates waiting in Windows Update. It's possible that depending on the exact nature of the certificates being used to validate digital signatures out of date root certificates could lead to the problem at hand.

Article C4665 - November 28, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
PaulM
November 29, 2010 9:38 AM

This is one reason why I dumped AVG after using and recommending it for several years. I now use Avast! antivirus. The free edition works great.

Dennis
November 30, 2010 2:13 PM

I had 8 "broken digital signature" on my last scan. Seven were from Microsoft. The eighth? Why AVG, of course.

Karen H
November 30, 2010 3:42 PM

Gee, Dennis had "only" 8 broken digital signatures. I had 30 on my last AVG scan. Altho they don't worry me, I sure would like to know how to get rid of them. I can't seem to find a DELETE for them.

JohnDa
December 1, 2010 8:45 AM

Karen u can delete them by pressing right click and then take me to file ... but do not ever do that... some of these files are essential for the windows to work properly... i personally just today found out about 12 of these... i click them right click, properties and i saw that they had expired.. well this is only natural since I dont do most of the windows updates because they mess up my system... it is really nothing to worry about... next time u scan ... right click the and select add to exception .... avg wont dig the up ever again...

Eric
December 1, 2010 6:25 PM

I have been getting them since 11/24. Shouldn't AVG
let us know if they're working on this problem?

It's very possible AVG doesn't consider this a problem - the digital signitures may indeed be broken, and it's up to the vendors to fix the software.
Leo
02-Dec-2010

TonyG
December 25, 2010 6:57 AM

I don't understand the phrase "AVG doesn't consider it a problem and the vendor should fix the software". Isn't AVG the vendor if the file is issued by AVG?

Not at all - it's finding a problem in OTHER files - files installed as part of other applications. That's what anti-malware tools do: they scan all the other files on your system.
Leo
25-Dec-2010

Mike
January 22, 2011 3:59 AM

Dennis, don't toss AVG too soon. I have been using AVG for many years - no problems. The only "broken digital signature" was Avast.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.