I can't find Jane's excellent write up on the steps needed after you get
your Comodo cert. I believe these steps are streamlined now.

Anyone have a link?
--

Russ Eggen
RADFusion International, LLC

http://www.beachbunnysoftware.com/SB/Comodo2014.pdf is the most recent
one that I know of.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Russ,

> Anyone have a link?

What Jeff said or...
http://www.lindersoft.com/Comodo2014.pdf


Open and chew!<g>

Lee White

>
> Anyone have a link?
>

Or this one... :-)

http://www.lindersoft.com/forums/showthread.php?23099

Friedrich

Tanks!

--

Russ Eggen
RADFusion International, LLC

Hi Friedrich,

In two months (June 2015) we have to renew again, for 3 years.

Question:
When I codesign my application executable (build with Clarion 6.3 9058)
with SHA-2 and some users will run this executable on (for example)
Windows XP SP2, will my application still run/start? Or will they get an
error that XP SP3 is required?

Best regards,
Jeffrey

Hi Jeffrey,

> In two months (June 2015) we have to renew again, for 3 years.
>
> Question:
> When I codesign my application executable (build with Clarion 6.3 9058)
> with SHA-2 and some users will run this executable on (for example)
> Windows XP SP2, will my application still run/start? Or will they get an
> error that XP SP3 is required?

Windows XP SP3 users that download an executable signed with SHA-256 will
see the EXE as unsigned. They will, however, be able to run it just as if
it were an unsigned EXE.

Windows XP SP2 and older users that download an executable signed with
SHA-256 will see the EXE as unsigned. They "should" be able to run it just
as if it were an unsigned EXE, but no guarantee!

Windows Vista SP2 users that download an executable signed with SHA-256 will
see the EXE as unsigned, but be able to run it as if it were unsigned.

Windows Vista users or Vista users who have not applied KB2763674 will have
the executable silently fail when running it.

BTW, you can still use SHA-1 when you code-sign with your new SHA-2
compliant certificate.

Friedrich

Hi Friedrich,

> BTW, you can still use SHA-1 when you code-sign
> with your new SHA-2 compliant certificate.

That is very good to hear! :-)
But how/where can I set this to SHA-1 when code signing with SB 8.5?

Best regards,
Jeffrey

Hi Jeffrey,

> > BTW, you can still use SHA-1 when you code-sign
> > with your new SHA-2 compliant certificate.
>
> That is very good to hear! :-)
> But how/where can I set this to SHA-1 when code signing with SB 8.5?

The SetupBuilder 8.5 compiler supports SHA-1 (the default), SHA-2 and "dual"
SHA-1/SHA-2 code-signing. You need the SHA-2 compatible SignTool.exe from
Microsoft and set the new CODESIGN_SHA #pragma in your script. That's all
you have to do :-)

1. Download SignTool.exe Version "6.2.9200.16384" or later.

2. Point to the new SignTool.exe in the SetupBuilder IDE:

IDE -> Tools | Options... | File Locations tab

3. In the script, set the CODESIGN_SHA #pragma.

#pragma CODESIGN_SHA = "2" --> Use SHA-2
#pragma CODESIGN_SHA = "12" --> Use "dual/hybrid" SHA-1/SHA-2

Does this help?

Friedrich

BTW, the SetupBuilder dual (hybrid) SHA-1/SHA-2 code-signing feature
code-signs your setups/apps with SHA-1 and SHA-2. So you have two
signatures to cover all kind of Windows OS ;-)

Friedrich

Is that the recommended method currently?

--

Russ Eggen
RADFusion International, LLC

More detailed information:

http://www.lindersoft.com/forums/showthread.php?44897&p=80920

Friedrich

Thanks Friedrich,

SB just ROCKS!! :-)

Final question:
I also use a batch file with for example this line:

signtool sign /f MyCertificateFile.pfx /p MyPassword /t
http://timestamp.comodoca.com/authenticode /d "File Description" MyApp.exe

Do I have to change something in order to use SHA-1/SHA-2?

Best regards,
Jeffrey

>
> SB just ROCKS!! :-)
>

Thank you :-)

> Final question:
> I also use a batch file with for example this line:
>
> signtool sign /f MyCertificateFile.pfx /p MyPassword /t
> http://timestamp.comodoca.com/authenticode /d "File Description" MyApp.exe
>
> Do I have to change something in order to use SHA-1/SHA-2?

Why don't you use the "#code-sign application..." compiler directive and let
SetupBuilder do the dirty work for you? ;-)

Friedrich

MS does not make this easy. When I search for signtool, I get a lot of
links with all sorts of versions, names and for versions of .NET and no
version numbers visible in the links I visited. Do you have a link?

> 1. Download SignTool.exe Version "6.2.9200.16384" or later.

--

Russ Eggen
RADFusion International, LLC

Russ,

>
> Is that the recommended method currently?
>

The problem is that lots of users are still running "unsupported" Windows
versions. Microsoft is doing dual SHA-1/SHA-2 code-signing for tools that
can be used on "outdated" Windows versions. It's not really documented.
They are doing SHA-2 for new tools (which are not compatible with older
Windows versions).

Friedrich

Your prose in your doc and messages are quite clear and precise. It
reads far more better than the American tech writers working at
Microsoft! :-)

--

Russ Eggen
RADFusion International, LLC

> Your prose in your doc and messages are quite clear and precise. It reads
> far more better than the American tech writers working at Microsoft! :-)

<g> Thank you :-)

Friedrich

Hi Friedrich,

> Why don't you use the "#code-sign application..."
> compiler directive and let
> SetupBuilder do the dirty work for you? ;-)

I know this directive, but sometimes I have to run my own batchfile to
"quick and dirty" sign some exe/dll files.

So do I have to change something in order to use SHA-1/SHA-2?

Thanks!

Best regards,
Jeffrey

> MS does not make this easy. When I search for signtool, I get a lot of
> links with all sorts of versions, names and for versions of .NET and no
> version numbers visible in the links I visited. Do you have a link?

As far as I know, signtool.exe (6.3.9600.16384) is part of the Windows SDK
8.1. You need 6.3.9600.16384 (or later) to fix a RFC-3161 code-signing
issue on Windows 7.

See private email.

Friedrich

Thanks - got it.

--

Russ Eggen
RADFusion International, LLC

> I know this directive, but sometimes I have to run my own batchfile to
> "quick and dirty" sign some exe/dll files.

Why not just create a simple utility script in SetupBuilder that takes a
command line parameter for the filename?

Then you just call it from your batch file (with the full path and
filename, retrieve that in SetupBuilder and let it do the code sign for?

You could even use the #copy directive then to put the signed version where
you want it to be.

Little SetupBuilder utility tools like this are a lot easier than trying to
get batch files to work IMHO.


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Charles Edmonds,

> Little SetupBuilder utility tools like this are a lot easier than trying to
> get batch files to work IMHO.

And powerful too!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"

Good idea Charles!
Thanks for the tip.

Best regards
Jeffrey

I am also interested in this link.

Best regards,
Jeffrey

Hi Friedrich,

In the past I ordered the certificate from my VM with Windows XP/IE8.
Is this still safe?

I can also use my Windows 7 machine with IE9 (32 or 64 bit?).

Best regards,
Jeffrey

Hi Jeffrey,

> In the past I ordered the certificate from my VM with Windows XP/IE8.
> Is this still safe?
>
> I can also use my Windows 7 machine with IE9 (32 or 64 bit?).

I would suggest to use Windows 7 (or later) with Internet Explorer. The
certificate will make it directly into your IE certificate store. After
that, you can export it to a .PFX and use it in SetupBuilder.

Here is an interesting link:

http://www.lindersoft.com/forums/showthread.php?23099

http://www.lindersoft.com/Comodo2014.pdf

Does this help?

Friedrich

Hi Friedrich,

> Does this help?

Ja, vielen Dank!

Best regards,
Jeffrey

Hi Jeffrey,

>
> Ja, vielen Dank!
>

You are very welcome :-)

Friedrich

Hi Friedrich,

I still use SB 8.5 in my VM with Windows XP SP3.
Will the new signtool.exe (32-bits version) also work under Windows XP SP3
and can I use the dual (hybrid) SHA-1/SHA-2 code-signing feature?

Best regards
Jeffrey

Hi Jeffrey,

> I still use SB 8.5 in my VM with Windows XP SP3.
> Will the new signtool.exe (32-bits version) also work under
> Windows XP SP3 and can I use the dual (hybrid) SHA-1/SHA-2
> code-signing feature?

No, the new signtool.exe does not work on XP. Signtool.exe version
6.3.9600.16384 needs Windows 7 and later. The older signtool.exe version
6.2.9200.16384 (not recommended!) needs Windows 8 and later.

Friedrich

Hi Friedrich,

Ok, I see.

But can I still (for the time being) use SHA-1 with my new Comodo
certificate I got yesterday from Comodo, with SB 8.5 under Windows XP?
(Of course with the signtool.exe/capicom.dll from 2008.)

BTW: Did you receive my private mail about version 6.2.9200.16384 ?

Best regards,
Jeffrey

Hi Jeffrey,

> Ok, I see.
>
> But can I still (for the time being) use SHA-1 with my new Comodo
> certificate I got yesterday from Comodo, with SB 8.5 under Windows XP? (Of
> course with the signtool.exe/capicom.dll from 2008.)

Yes, you can still use the old pre-6.2.9200.16384 signtool.exe under Windows
XP with your new certificate!

>
> BTW: Did you receive my private mail about version 6.2.9200.16384 ?
>

Yes, sorry. Should read "6.2.9200.16384" and not "6.3.9600.16384" in my
email.

Friedrich

Great, thanks!

Best regards,
Jeffrey