PSA - Code signing for 2016
PSA - Code signing for 2016
New rules may make your current cert useless as early as Jan 1 2016
http://zabkat.com/blog/code-signing-sha1-armageddon.htm
New rules may make your current cert useless as early as Jan 1 2016
http://zabkat.com/blog/code-signing-sha1-armageddon.htm
whew, I am good...as I got my certificate this year
ReplyDeleteThanks for the link that was really interesting.
ReplyDeleteYou're welcome. Looks like I'm covered.
ReplyDeleteSame here. When I was researching on whom to purchase a certificate from I was shocked at the pricing and that there are a small amount of vendors that provide code signing certificates.
ReplyDeleteI went with Comodo for a 3 year plan and the cost was low. That being said you would think that a company that sold you the certificate would automatically upgrade the certificate. Am i being to pushy on that ?
One would think a 3 year plan would at least get you the upgrade. I'm also with Comodo but I buy through KSoftware - http://codesigning.ksoftware.net/
ReplyDeleteI checked my Comodo via KSoftware Certificate and it works with the double signing method discussed :)
ReplyDeleteThank you - just thought for a moment that my Christmas peace was spoiled, but luckily it looks like it is (so far) not a problem for executables signed before 1/1 2016. At least that gives more time to take care of it :-)
ReplyDeleteWith Comodo I could just re-download the cert and it had been upgraded to SHA2-256.
ReplyDeleteAnybody know how to tell if your code signing is using SHA-1 or SHA-2?
ReplyDeleteRight click on your signed .exe >> Properties >> Digital Signatures Then Digest Algorithm
ReplyDeleteBut now that I look at that mine shows sha1
When I look at the Certificate in IE >> Tools >> Internet Options >> Content >> Certificates >> View >> Details it shows the Signature algorithm as sha256RSA and a Thumbprint algorithm of sha1
Patrick Hughes Yes, I get the same after compiling our installer script in Advanced Installer. I think it is because AI by default generates the thumbprint using SHA1, even if the certificate is SHA2-256.
ReplyDeleteAs a side-note, the built-in signing in AI became slow as molasses after updating the cert to SHA2. I downloaded the updated SignTool.exe from here:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwiXh-aIwvHJAhUFEiwKHRKjDNEQFggxMAI&url=http%3A%2F%2Fzabkat.com%2Fblog%2Fcode-signing-sha1-armageddon.htm&usg=AFQjCNGqOn0fKWRmGZLtce3mdJIJEz2NXg&sig2=Lseco3jSHtO2D9iPdD8eDA
And turned on signing in AI via External Tools to point to this SignTool.exe. Now the signing is fast again, but it still generates SHA1 thumbnails. In their wisdom the AI developers did not allow specifying the SignTool command line parameters.
One workaround would be to create a proxy exe utility that invokes SignTool.exe with the correct params. But I suspect (hope) that the latest AI version does send the correct parameters to sign with SHA2.
Sigh! Why must security always be such a mess... :(
Microsoft docs and download: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx
Discussion of wrapper utility and Signtool params:
https://community.flexerasoftware.com/archive/index.php?t-218163.html
I think the definitive test for checking your exe is right click on exe – Properties – Digital Signatures – Details – View Certificate – Details – Signature algorithm – if it says "sha256RSA" then it is good. If it says, "sha1RSA" it is bad.
ReplyDelete