Hi Friedrich

My current SHA1 certificate is due for renewal in two months, I'm not sure
of what to order.

- Should I buy a 3 year SHA2 certificate or a 1 year SHA1 certificate and a
SHA2 certificate next year?

- What happens if I sign my EXEs with a SHA2 certificate and my users run
them in Windows XP?

- If I get a SHA2 certificate, can I use it today with Setupbuilder?

I'll appreciate your comments.

Regards,

-- Carlos Gutiérrez

Hi Carlos,

http://www.lindersoft.com/forums/showthread.php?t=43220

Always order a 3-year certificate. Never order an one or two years only
certificate. Otherwise, you have to build a new "reputation" for your
certificate every year (after two years).

BTW, you can use the "new type" certificate to code-sign with SetupBuilder.
But you can't code-sign using the SHA-2 option yet (will be available in a
later build). Windows XP SP3 supports SHA-2. Older operation systems do
not.

Friedrich

BTW, Comodo told me that if the order goes beyond 01-Jan-2016 their system
will automatically issue of the SHA-2 chain.

Friedrich

> if the order goes beyond 01-Jan-2016 their system
>will automatically issue of the SHA-2 chain.
That settles it then :-)

Thanks!

Carlos Gutierrez

Thanks!

>Windows XP SP3 supports SHA-2.
>Older operation systems do not.

Do you know what does "not supported" mean for say XP SP2?
Do EXEs show as not signed or with a bad signature? Do they still run?

Carlos Gutierrez

Carlos,

> Do you know what does "not supported" mean for say XP SP2?
> Do EXEs show as not signed or with a bad signature? Do they still run?

If you code-signed with the SHA-2 option it would "show" an invalid
code-signature for your signed files. Please note that you can use the new
type certificates to code-sign with the old option. The operation system
would display a warning.

Friedrich