KB40956 - Receiving "Invalid signature" and "Verify failed" messages in Pulse Secure client debug logs

This article explains why "invalid signature" and "Verify failed" messages are displayed in the Pulse Secure Client debug logs for dll and exe files and how to verify SHA2 Cert Chain using Procmon tool.

While installing Pulse Secure components on a Windows OS (i.e. PSSetupClientInstaller.exe or dll files), an invalid signature error and verify failed message may occur in the debuglog.log. This will cause issues with Pulse Secure setup client components installation leading to installation failures for Pulse Secure components.

The Pulse Secure Desktop client logs should be gathered under Detailed level (click File > Logs > Log Level > Detailed).  For step-by-step instructions, refer to KB17327 - How to collect the log file from Pulse Secure Desktop client?​.

Log excerpt:

PulseSetupExt p6744 t12C0 dsVerifyHelper.cpp:283 - 'DSVerifyHelper' Enter: C:\Users\test\AppData\Local\Temp\tmp257375932996204585PulseExt.exe
PulseSetupExt p6744 t12C0 dsVerifyHelper.cpp:283 - 'DSVerifyHelper' WinVerifyTrust() failed, 0x80096010
....
PulseSetupExt p2392 t2AE4 JuniperSetupExt.cpp:429 - 'DSSetupClientHelperExt::installSetupClientOneFile()' 
verifyFile failed C:\Users\ADMINI\AppData\Local\Temp\PSSetupClientInstaller.exe
PulseSecureService.exe dsAccessService p5372 t268C accessPluginLoader.cpp:117 - 'AccessService' plugin 
C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\uiPlugin.dll, invalid signature
PulseSecureService.exe dsAccessService p5372 t268C accessPluginLoader.cpp:117 - 'AccessService' plugin 
C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\uiModelService.dll, invalid signature
....
PulseSecureService.exe dsAccessService p1316 t580 accessPluginLoader.cpp:117 - 'AccessService' plugin 
C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\NetMonitor.dll, invalid signature

When reviewing the properties of the problematic DLLs, the digital signature will state:

The digital signature is not valid

1. Open Windows Explorer
2. Navigate to the directory stated in the logs for the problem DLL
3. Right-click the file
4. Select Properties
5. Click Digital Signature tab
6. Select the certificate in the list
7. Click Details
8. Under General tab, the status of the digital certificate will be stated.
9. Click Advanced tab
10. For Digest algorithm, confirm if the value states sha1 or sha256

If the digest algorithm is sha1, please refer to the solution section below.

The issue occur if there is any issue with the validating the SHA1 certificate chain on patched (May 2017) Windows operating system. For more information, please refer to the Windows Enforcement SHA1 Enforcement document. 
 

Starting with Pulse Secure Desktop client 5.2R3 and above, all libraries are signed using a VeriSign SHA2 code signing certificate. Please upgrade to Pulse Secure Desktop client 5.2R3 and above to resolve this issue.