I found a suspicious file on a Windows XP machine. I was able to trace its origin back to a Windows Installer package (.msi). This package in c:\windows\installer had an invalid digital signature. Like this:
Very suspicious.
A bit later I found another msi package containing the same suspicious file. But this time, the package had a valid digital signature. What’s going on?
After a deep dive into the internals of msi packages, I found the answer.
When an msi package is installed, it is cached inside the Windows Installer directory (%windir%\Installer). Prior to Windows Installer 5.0 (released with Windows 7), cached packages were stripped of their embedded cab files. But with digitally signed msi files, the signature remained inside the file: the digitally signed file was modified, hence the signature was invalidated. This behavior changed with Windows Installer 5.0: cached packages are no longer stripped, hence the signature remains valid.
This blogpost by Heath Stewart explains this change in more detail. Unfortunately, my Google-skills were not good enough to find this blogpost prior to my deep dive into msi files. Hindsight Googling FTW! 😉
Didier Stevens 
[…] In case you missed it, I posted this during the weekend: MSI: The Case Of The Invalid Signature. […]
Pingback by OHM2013 | Didier Stevens — Monday 29 July 2013 @ 0:01
“This behavior changed with Windows Installer 5.0: cached packages are no longer stripped, hence the signature remains valid.” Trust Microsoft to make it less secure with an ‘upgrade’, this makes the digital signature effectively irrelevant in this context.
Comment by David J Dunmore — Friday 2 August 2013 @ 14:39
[…] Some time ago I had to figure out if a file was embedded inside another file. […]
Pingback by Finding Contained Files | Didier Stevens — Monday 7 October 2013 @ 0:01