Invalid signature - The form changed after it was signed. Only it wasn't changed.

UPDATE 26 April: Make sure you create the correct RegKey. For the InfoPath forms my customer was using it was the XmlDSigXsltTransform reg key which was needed, specifically the key marked in the KB article as "XmlDSigXsltTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)".

__ __ __

Ran into an interesting puzzle the last couple of weeks on SharePoint where a signed InfoPath form was displaying as having an invalid signature in the browser but the InfoPath client said the signature was fine.

If you are looking at an InfoPath form and that form has a digital signature, the validity of the signature is an important to know the form hasn't changed and that you can verify who has signed the form. My current customer uses this functionality a lot, and recently reported that users were getting a warning message when opening forms in the browser: "Invalid signature - The form changed after it was signed". Opening the form also gave the message "One or more digital signatures in this form could not be verified. To modify parts of the form that have been digitally signed, remove the associated signatures. Click on signatures to view its details." If you opened the form in the InfoPath client, the signature showed as valid, and in the signature details I could see the form had not changed.

I did a lot of head scratching and had to escalate this to a Microsoft colleague to help the customer figure out what was going on. We eventually figured it out and traced it to a .Net Framework patch: https://technet.microsoft.com/library/security/ms16-035. and the associated note which instructs you to add a registry key to avoid the issue with signatures erroneously showing as invalid: https://support.microsoft.com/en-us/kb/3148821, specifically the XmlDSigXsltTransform reg key.