Installing IIS CORS 1.0 Module finishes with "Downloaded file failed signature verification and may have been tampered with" message RRS feed

  • Question

  • User1009078534 posted

    Hi, hope you're doing well.

    We're trying to install IIS CORS module via Web Platform Installer.

    Here's the command:

    webpicmd.exe /Install /Products:"CORS 1.0" /AcceptEula

    For a while it worked well, but starting last Friday (January 15th 2021), we are getting this error:

    Downloaded file failed signature verification and may have been tampered with

    Are there any changed been made for this file? We cannot understand the issue.

    Thanks a lot for your help.

    Monday, January 18, 2021 12:04 PM

All replies

  • User-1536664907 posted

    We are also getting the same error. This error occurs with both manually running the web platform installer, and using the command line mentioned above.

    Monday, January 18, 2021 3:08 PM
  • User1065476709 posted

    Hi aliaksanderkazlou,

    Downloaded file failed signature verification and may have been tampered with

    This problem should be caused by system compatibility. The default version installed by Web Platform Installer (WebPI) is x86 installer, you can try to install x64 installer.

    Best regards,


    Tuesday, January 19, 2021 1:59 AM
  • User-585462033 posted

    I have tried the x64 installer... it appears to run but CORS still not installed. I think there is still an issue with the installer.

    Tuesday, January 26, 2021 2:40 PM
  • User515338469 posted

    The problem is plain and simply what the error message states:

    The SHA1 checksum from the Web Platform Installer's XML feed does not match the actual SHA1 checksum of the installer file.

    You can try this by downloading the file manually from http://download.microsoft.com/download/2/F/2/2F259559-FC43-4B2C-B53F-DED3E9950912/IISCORS_amd64.msi and running

    certutil -hashfile c:\Users\you\Downloads\IISCORS_amd64.msi SHA1
    SHA1 hash of c:\Users\you\Downloads\IISCORS_amd64.msi:
    CertUtil: -hashfile command completed successfully.

    You can verify this further by downloading the original feed file from https://webpifeed.blob.core.windows.net/webpifeed/WebProductList.xml, then editing it in a text editor and replacing the incorrect SHA1 hash with the correct one. Then run

    webpicmd-x64 /Install /products:cors /xml:C:\path\to\edited-version-of\WebProductList.xml

    and - surprise - it will work.



    For all we know, someone may actually have tampered with Microsoft's download server. You'd say: Probably not. After all, this is Microsoft. But Microsoft is also the same company that hasn't fixed this hash mismatch for at least 3 months (and counting, at the time of this writing). If you still trust them, read on...

    All this does is show that Microsoft are doing an extremely sloppy job at maintaining WebPi packages. It's almost as if WebPi is something they have already abandoned, but without providing a proper replacement.

    Also, if you have been paying attention, the download URL is a HTTP URL. That's right. No HTTPS.

    And then you have only scratched the surface of what a dumpster fire WebPi is. The best advice I can give you is to stop using it immediately.

    Either download the MSI file directly and run it (it will not install all dependencies, but all dependencies, such as IIS, can be installed with DISM or Server Manager), or, if you want to use a package manager, consider using Chocolatey: https://chocolatey.org/packages/iis-cors-module .

    Monday, March 15, 2021 2:55 PM