DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Authenticode Signature Verification Fails with New Timestamping Cross-Root

Solution ID : SO070722230245
Last Modified : 10/21/2023


In June 2022, DigiCert introduced the new cross root "DigiCert Trusted Root G4" to resolve compatibility issues with legacy timestamp clients. The introduction of the cross root was for the timestamp certificate to chain to a more ubiquitous root that was already present in the root stores of legacy systems.

As part of this change, the new cross root included only the Time Stamping ( EKU attribute. Because this same cross root would also be used as part of the digital signature chain, Windows was unable to validate the code signing certificate chain due to the limited EKU.

When checking the digital signature or executing the signed program on all Windows machines missing the new ICA “DigiCert Trusted Root G4”, errors similar to the following may appear:

  • The certificate is not valid for the requested usage
  • This certificate does not appear to be valid for the selected purpose
  • Untrusted publisher


On August 8, 2022, DigiCert published a new, permanent cross-signed intermediate CA (ICA) certificate to be used for validation of timestamped digital signatures. This new ICA certificate is compatible with legacy operating systems, resolving a previous problem of legacy operating systems distrusting properly signed code.

Cross Root


DigiCert Trusted Root G4

Serial: 0e9b188ef9d02de7efdb50e20840185a

Valid From: Monday, ‎August ‎1, ‎2022 00:00:00 UTC
Valid To: Sunday, ‎November ‎9, ‎2031 23:59:59 UTC

For any files signed with the temporary workaround, they will continue working or you may re-sign and timestamp your files without specifying the cross-signed ICA. 

signtool sign /tr 
http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file_to_sign.exe"

Verify the file was signed correctly with this command:

signtool verify /pa signed_file.exe