Integrity Check failure with Applocker

I am using Dopus in a company environment, Version 11.19 X64, have been very happy with it. After migration to Windows 10 IT is using Microsoft Applocker to inhibit usage of unknown EXE files. I have authority to digitally sign DOpus exe to allow execution, but this overwrites the GP signatures and leads to an Integrity Check Failure. Any idea what I can do to keep DOpus working?

Rudolf Korne

You can’t re-sign our binaries. (The same will be true for a lot of other software.) You would need to tell AppLocker to allow binaries signed with our certificate, or to allow our binaries via some other method that doesn’t require modifying them.

I'm not in a position to configure Applocker. Isn't it possible to disable the integrity check? Otherwise DOpus will be gone for me, I'll miss it.

It's not possible, no.

AppLocker has many ways to allow an exe without modifying it: Working with AppLocker rules (Windows) - Windows security | Microsoft Docs

Signing the exe in a way which does not remove our signature may also work. It should be OK to have multiple signatures on the same binary, as long as they're using the authenticode standard, since the signatures themselves are not part of the data which the signatures verify.

Adding signatures without replacing the existing ones should be possible, at least in theory, as we do it ourselves in order to sign with both the old and new hashes for different versions of Windows.