All,

Requested a new three year Comodo code-signing certificate because our "old"
one (still valid until September 2016) did not support SHA-2. A new
certificate always means you have to build a new "reputation" for it. I
don't want to lose reputation again after one year so I decided to order a
fresh 3-year one.

Here is what I did:

1. Made sure that the WHOIS database for lindersoft.com was up-to-date and
turned OFF domain registrar's privacy service.
2. Ordered the certificate on August 24, 2015 at 4:53 PM from a Windows 7
SP1 (x64) machine using Internet Explorer.
3. Sent required documents immediately to Comodo.
4. Received callback status email from the COMODO Validation Team at 11:24
PM.

Not too bad. That was quick -- only 6 hours. I am good until August 2018
now (1096 days). Yeah!

To start the telephone callback process, I did this:

1. Opened a LiveChat on Comodo's support website. Chat partner "Martin"
started the telephone callback procedure.
2. Received another "Callback" email. In order to review our phone number
and initiate the callback I had to click a link. Then press a button to
get a phone call (DON'T close the window!!).
3. Received the phone call (computer voice) and the "lady" gave me a PIN.
4. I had to enter that PIN in the previous window.
5. 30 seconds later I received a "Your Code Signing Certificate is ready!"
email and collected my new certificate.
6. Exported the certificate to .pfx format.
7. Turned ON domain registrar's privacy service.

All system files for SetupBuilder 10 will be dual SHA-1/SHA-2 code-signed to
be ready for January 1, 2016.

Note: Microsoft will cease trusting Code Signing Certificates using SHA-1 on
January 1, 2016. Organizations need to develop a migration plan for any
SHA-1 code signing certificates that expire after January 1, 2016.

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

LiveChat window, "Your Code Signing Certificate is ready!" email and
certificate collection.

Friedrich

What happened with posibility to get new version with SHA-2 for existing certificates?

Darko

Darko,

> What happened with posibility to get new version with SHA-2
> for existing certificates?

You will be able to get a free replacement SHA-2 certificate from Comodo if
your current one support SHA-1 only (e.g. code-signing certificates issued
after 22nd September 2014 which expires after 2015).

Friedrich

By the way, you can still use the new SHA-2 based certificates to code-sign
with SHA-1. Absolutely no problem. But Microsoft will cease trusting Code
Signing Certificates using SHA-1 on January 1, 2016.

You can use SetupBuilder 10 to code-sign your files and installations with
SHA-1, SHA-2 or dual SHA-1/SHA-2.

Friedrich

Thanks Friedrich for detailed explanation, but your math still worries me, as
my 3 year comodo expires at 25.02.2017,
and you said "free replacement for code-signing certificates issued after 22nd
September 2014". Mine is issued at 25.02.2014 so it's before 22.09.2014,
Or I misunderstood what you said?.

Many thanks
Darko

Hi Darko,

Sorry, should read "...issued BEFORE 22nd September 2014 which expires after
2015...".

On September 22, 2014 Comodo started the new "SHA-2 only" program.

Friedrich

Ah, now make sense
Thanks Friedrich

Darko

Friedrich,

Did they ask you for a phone number in the chat, or go by some number they
looked up somewhere?

Jane

Hi Jane,

> Did they ask you for a phone number in the chat, or go by some number they
> looked up somewhere?

They have used the number from the WHOIS record (and they perform callback
only to the number listing in online directories).

For example:

http://www.numberway.com/,
http://world.192.com/

First, I sent an email to their support. But after two hours of waiting for
a callback, I decided to open a LiveChat session. Two minutes later I had
my certificate ready-to-sign <g>

From the transcript of the chat:

---

Martin: Just a moment please , let me check the order status

Martin: shall we make a call now ?

Hi, this is Friedrich Linder: Yes, please :-)

Martin: Sure :)

Martin: Done

---

Friedrich

Thanks, Friedrich,

WHOIS is good.

The last time for me, I think they got my number from Dun & Bradstreet. I
didn't even know that D&B had a listing for me. Since then, I've canceled
the phone number they used last time. And I don't want to have to open a
D&B account in order to update that incorrect phone number in order to renew
my certificate next time.

Fortunately, "next time" isn't for 18 months.

But time goes faster as I get older !!!!

Jane

Hi Friedrich,

> Not too bad. That was quick -- only 6 hours. I am good until August 2018
> now (1096 days). Yeah!

I'm hoping for a quick turn around also when I order after the weekend.
I'd somehow got my reminder in in September and was rather displeased
to discover yesterday that the certificate expired last Friday!<g> Have
Jane's docs ready at hand:)

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

Hi Jane,

> canceled the phone number they used last time. And I don't want to
> have to open a D&B account in order to update that incorrect phone
> number in order to renew my certificate next time.

I can't even see the phone number listed for me without signing up with
D&B. And they have the address wrong (changed in 2010;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> I can't even see the phone number listed for me without signing up with
> D&B. And they have the address wrong (changed in 2010;)

They tend not to update information unless you pay them. I dissolved
the corporation in 2006 but they still have DeveloperPLUS listed as a
corporation. Duh!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

Maybe they'll send you an anniversary card next year<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> Maybe they'll send you an anniversary card next year<g>

I should probably expect it!<g> AMEX gets mailing lists from D&B and
they are constantly sending offers to the corporation that isn't!<g>

Can't sit in front of this thing long. Just got back from having my
eyes dilated and dyed for several tests - can't focus at all which is
why I went - they made it worse and charged me $260. Shoulda stayed
home!!!!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

If you have to get something dilated, the eyes are a good first
choice.<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> If you have to get something dilated, the eyes are a good first
> choice.<g>

True but I would have preferred the method I used in my 20's!<g>

Lee White

alrighty, then.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> alrighty, then.

But I never inhaled, honest... wait, I'm not a politician, am I?!<g>

Lee White

Wasn't that supposed to be good for glaucoma anyway???

Jane Fleming

Jane,

> Wasn't that supposed to be good for glaucoma anyway???

It's good for a lot of things, or so Sanjay says.<g>

I don't have glaucoma but I do have the early stages of cataracts...
that's close enough, right?!<g> (no worries - purely age related)

Lee White

Lee,

Cataracts are a lot less of an issue than back when you were a pup. I've
watched a lot of IOL surgeries. Patients are amazed at how well they can
see the very next day.

OTOH... if you prefer herbal therapy ;-)

jf

So after my earlier post, I delayed doing productive work for a half hour
this morning whilst spelunking through crannies of the D&B website.
Wish I could point to the specific link... but I was heartened by one of
their dropdowns promising the ability to edit information without paying
them.
So I did create a free account, and that let me zap the invalid phone
number. Unfortunately, it wouldn't let me just leave the phone blank.

Of course... it might be fun to set the phone number on D&B to Comodo's
number <G>

Cheers, all,

Jane

Jane,

> OTOH... if you prefer herbal therapy ;-)

Getting back to nature!<g>

Lee White

> But Microsoft will cease trusting Code
> Signing Certificates using SHA-1 on January 1, 2016.

Does that mean that all previously distributed EXE etc become invalid??????

Don't make me nervous, man!



Regards,
Wolfgang Orth
www.odata.de

Hi Wolfgang,

> Does that mean that all previously distributed EXE etc become
> invalid??????
>
> Don't make me nervous, man!

Windows will stop accepting SHA-1 code-signed files that are time stamped
AFTER 1 January 2016. SHA-1 code-signed files time stamped by an RFC 3161
Time Stamp Authority BEFORE 1 January 2016 will be accepted until such time
when Microsoft decides SHA-1 is vulnerable to pre-image attack.

Friedrich

> Don't make me nervous, man!

By the way, I think my answer was not quite clear. Yes, all previously
code-signed EXE/DLL/etc. files become invalid if they were code signed using
the "standard" Microsoft Authenticode compatible time stamp. To support
older Windows operating systems and new UAC-aware Windows after 1 January
2016, you have to dual SHA-1/SHA-2 code-sign using Microsoft Authenticode
compatible time stamp and RFC 3161 compliant trusted time stamp servers
(SHA-2 compatible code-signing certificate is required).

Of course, the upcoming SetupBuilder 10 can handle this for you (dual
SHA-1/SHA-2 code-sign your application files and the setup.exe).

Friedrich

Friedrich,

> Yes, all previously
> code-signed EXE/DLL/etc. files become invalid if they were code signed using
> the "standard" Microsoft Authenticode compatible time stamp.

So everything that's already been signed is suddenly invalid and has
to be redone??? Seriously?!

So old signed installs and install contents have to be re-signed and
uploaded... that's a lot of stuff to contend with, a LOT of stuff!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

Lee,

> So everything that's already been signed is suddenly invalid and has
> to be redone??? Seriously?!

Yes, that's the plan if the files are not time stamped by an RFC 3161 Time
Stamp Authority before 1 January 2016 <bg>

> So old signed installs and install contents have to be re-signed and
> uploaded... that's a lot of stuff to contend with, a LOT of stuff!

Ohhh yes. I am busy re-compiling all my original application files, all the
core redistributables, etc. Tons of stuff, terabytes of data.

Friedrich

BTW, I am working on our migration plan for the old SHA-1 code signing
certificate for more than three months now (including research and
development). More work than the Year 2000 "problem" <g>. And this will
DEFINITELY result in a support nightmare for quite a few developers on
January 2, 2016.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Friedrich,

> Yes, that's the plan if the files are not time stamped by an RFC 3161 Time
> Stamp Authority before 1 January 2016 <bg>

Not sure exactly what that means but all my existing 3rd party product
installers will remain as is... don't have the time or inclination to
redo them all and they're already signed and time stamped.

If that's a problem then Clarion Developers will just have to trust
the old installs... c'est la vie.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

la vie!

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

> If that's a problem then Clarion Developers will just have to trust
> the old installs... c'est la vie.

Unless Windows decides to not allow them to install at all...

Time will tell I guess<g>.


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Charles,

> Unless Windows decides to not allow them to install at all...

Considering Windows still allows unsigned installs to run I doubt
seriously they would utterly prevent it. I'm fairly certain there
would be a rather loud voice heard in Redmond if they did.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

I hope that your voice of sanity will prevail.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> I hope that your voice of sanity will prevail.

After I retire, if that ever happens, I won't care!<g>

Reached early retirement age, and reverse mortgage age, earlier this
month but neither are going to happen just yet.

Lee White

> Considering Windows still allows unsigned installs to run I doubt
> seriously they would utterly prevent it. I'm fairly certain there
> would be a rather loud voice heard in Redmond if they did.

Allowing the installer to run and allowing it to place files are two
different things<g>.

Of course now that SV no longer defaults to installing Clarion under
Program Files, for the moment it is less of an issue.

But I have seen installers that were code signed (but not manifested for
the target OS for example) that ended up with an "empty" install under the
Program Files folder. Nothing in there but the install.log and the
SetupBuilder generated uninstall.exe.

So I'd guess that anything is possible where MS is concerned<g>.

Then again, even if they heard you all the way out in Redmond, do you think
they'll pay any attention to you<g>?


:-)

Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Charles,

> Then again, even if they heard you all the way out in Redmond, do you think
> they'll pay any attention to you<g>?

Support email redirect!!!

Lee White

Lee,

>> Yes, that's the plan if the files are not time stamped by an RFC 3161
>> Time
>> Stamp Authority before 1 January 2016 <bg>
>
> Not sure exactly what that means but all my existing 3rd party product
> installers will remain as is... don't have the time or inclination to
> redo them all and they're already signed and time stamped.
>
> If that's a problem then Clarion Developers will just have to trust
> the old installs... c'est la vie.

By default, timestamping is done using Microsoft Authenticode compatible
time stamp and not the RFC 3161 compliant trusted time stamp servers. You
need a specific SignTool version and at least Windows 7 SP1 to support RFC
3161. In SetupBuilder 8.5, you can use the following #pragma to support RFC
3161:

#pragma CODESIGN_TSTYPE = "1"

If you are not using RFC 3161 then all your files are Microsoft Authenticode
compatible time stamped and are suddenly invalid on January 02, 2016.

I have to redo all files because quite a few companies have the "User
Account Control: Only elevate executables that are signed and validated"
security policy enabled. This blocks elevation if the code-signature is
invalid.

Friedrich

To be accurate, I don't think it's absolutely true that files themselves are
"suddenly invalid" on that date.

Rather, the timestamp is not valid.

The purpose of the timestamp is to keep your file valid after its
certificate has expired. (i.e., to prove that the certificate was valid at
the time of signing.)
https://msdn.microsoft.com/en-us/library/windows/desktop/bb931395%28v=vs.85%29.aspx

So if your certificate expires on, say, October 12, 2016, that's when the
file signed with that certificate would become invalid.

At least... that's how I remember it. Don't know whether that aspect has
changed with SHA-2??

jf

Hi Jane,

> To be accurate, I don't think it's absolutely true that files themselves
> are "suddenly invalid" on that date.
>
> Rather, the timestamp is not valid.

Yes, that's what I meant. Sorry for the confusion!!! Of course, the files
themselves are not "suddenly invalid" on that date. The code-signature
becomes invalid on January 02, 2016. So customers will get a warning after
the download, or when they try to start a downloaded file, setup elevation
might not work (e.g. if the "User Account Control: Only elevate executables
that are signed and validated" security policy is enabled), anti-virus and
anti-spyware might block the files, etc.

Friedrich

Friedrich,

>If you are not using RFC 3161 then all your files are Microsoft Authenticode
>compatible time stamped and are suddenly invalid on January 02, 2016.

you seriously HAVE TO do a feature presentation on ClarionLive!

And it has to happen early enough, before this nightmare breaks out!

My beg you to contact John Hickey ASAP, so that you get a timeslot soon after the CIDC.

Please don't get me wrong, I do not want to dictate your work and your
schedule, but this topic looks damned serious to some folks, so your kharma
would benefit a lot if you help out with a webinar.....


Regards,
Wolfgang Orth
www.odata.de

Wolfgang,

I'll see what I can do. I agree 100%. This really is a serious issue.

Friedrich

Friedrich,

> I'll see what I can do. I agree 100%. This really is a serious issue.

If not, at least let Jane do it... she's infamous, notorious AND likes
the limelight!<g>

Lee White

Hi Lee,

> Not sure exactly what that means but all my existing 3rd party product
> installers will remain as is... don't have the time or inclination to
> redo them all and they're already signed and time stamped.

Ditto. I have 195 installer exes going back 7 or 8 years, and there is
not a chance in h*** I'm going to redo them;)

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

> By the way, I think my answer was not quite clear. Yes, all previously
> code-signed EXE/DLL/etc. files become invalid if they were code signed using
> the "standard" Microsoft Authenticode compatible time stamp. To support
> older Windows operating systems and new UAC-aware Windows after 1 January


So to be clear about this.

Software installed by install disks / files that people were issued years ago,
by companies that may no longer exist, will not be able to be re-installed?


??!!



John Newman
Software Partners Australia
C10

Hi John,

> So to be clear about this.
>
> Software installed by install disks / files that people were issued years
> ago, by companies that may no longer exist, will not be able to be
> re-installed?

The code-signature becomes invalid on January 02, 2016. What will happen is
that customers will get a warning after the download, or when they try to
start an application. Setup elevation might not work (e.g. if the "User
Account Control: Only elevate executables that are signed and validated"
security policy is enabled) -- to work around this, the UAC policy can be
temporarily disabled. Anti-virus and anti-spyware are a bigger problem here
because they do not like invalid code-signatures at all (it's better to have
no signature instead of an invalid one).

The deprecation of SHA-1 will cause a LOT of headache and a support
nightmare for companies without a migration plan for any SHA-1 code signing
certificates that expire after January 1, 2016 or files that are not RFC
3161 compliant trusted time stamped.

BTW, and a lot of software products only work if the code-signature is valid
(they internally check the signature status). If the code-signature becomes
invalid on January 02, 2016, the product will stop working.

Friedrich

>> So to be clear about this.
>>
>> Software installed by install disks / files that people were issued years
>> ago, by companies that may no longer exist, will not be able to be
>> re-installed?
>
>The code-signature becomes invalid on January 02, 2016. What will happen is
>that customers will get a warning after the download,


> or when they try to start an application.

This is true for ALL our userbase, for ALL our programs that are code-signed,
for ALL version of Windows since Vista?

In other words, on 02. Jan. 2016 a global nightmare will start at all support desks.

Great!

I think I will prolong my Christmas vacation.....




Regards,
Wolfgang Orth
www.odata.de

I don't know if I am reading this wrong but thia artilcle:

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Under the Code Signing Certificates section, I think it is saying that if
the code is signed with SHA-1 and has a timestamp before January 1, 2016 it
will be OK until January 14, 2020.

Michael Melby

Michael,

>I don't know if I am reading this wrong but thia artilcle:
>
> http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
>
> Under the Code Signing Certificates section, I think it is saying that
> if the code is signed with SHA-1 and has a timestamp before January 1,
> 2016 it will be OK until January 14, 2020.

Yes, if you have timestamped the files with a RFC 3161 compliant trusted
time stamp servers. But you need a very specific Authenticode signing tool
and Windows 7 SP1+ (better Windows 8 or later) to support RFC 3161. IMO,
99% of all developers have used the "standard" Microsoft Authenticode
compatible time stamp :-) As a result, the signature becomes invalid on
January 02, 2016.

Friedrich

> The code-signature becomes invalid on January 02, 2016. What will happen
is...


Thank you for that explaination, Friedrich.


John Newman
Software Partners Australia
C10

> If not, at least let Jane do it... she's infamous, notorious AND likes
> the limelight!<g>

Not a single comment... DAMN... I'M IN TROUBLE!!!!

Lee White

Maybe because you're infamous, notorious, AND like the limelight!?<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> Maybe because you're infamous, notorious, AND like the limelight!?<g>

Who, ME?!<g>

Lee White

Hi Friedrich,

> All system files for SetupBuilder 10 will be dual SHA-1/SHA-2 code-signed
> to be ready for January 1, 2016.

This stuff confuses the hell out of me! Having a look at getting sha-2
code-signing working for a client and leaving it for the morning :-)

BUT. Out of interest and hoping for some clues, went to look at "Properties"
/ "Digital Signatures" of sb8.exe (dated 15/4/2015 - can that really be
latest, think so?) and the "Digest algorithm" is md5.

Suppose I was expecting to see sha1. There is talk of "dual signing", so
maybe I also expected a second sha2 entry in the Signature list...

But there it is: a solitary md5

So why is that???

Thanks,
Simon

Simon,

> But there it is: a solitary md5

That's the "Digest algorithm" from his prior certificate. He has a
newer one now which won't be md5!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

Hi Simon,

Exactly what Lee said. Our "old" code-signing certificate did not support
SHA-2. The new one does and in the upcoming SetupBuilder 10 all new files
will be dual SHA-1/SHA-2 code-signed.

Friedrich

How to export the certificate:

https://support.comodo.com/index.php?/Knowledgebase/Article/View/1004/0/export-certificates-windows