All,

I need your help.

As you probably know, files signed with new code signing certificates need
to build reputation, you'll have to earn trust. Reputation is generated and
assigned to digital certificates as well as specific files. But digital
certificates allow data to be aggregated and assigned to a single
certificate rather than many individual programs.

We are using a new SHA-2 compliant code-signing certificate to code-sign all
new SetupBuilder 10 files. To make sure that SetupBuilder redistributables
(e.g. wupdate.exe, wucheck.exe, etc.) and system service files are trusted,
we have to build a reputation for our new certificate.

Please download and run the following small tool on as many machines as
possible. See attached screenshots.

http://www.lindersoft.com/projects/sb10_reputation.exe

Thank you for your help!

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Done!

Peter Hermansen

Thank you !!!

Friedrich

"Not Found"

Darko

http://www.lindersoft.com/projects/sb10_reputation.exe

HTTP 404 error

That’s odd... Microsoft Edge can’t find this page

Simon Kemp

By the way, just to show what happens when you compile the SAME project but
this time code-sign with the OLD certificate (already trusted by millions of
downloads and redistributable runs worldwide).

Microsoft Windows immediately displays the 'RUN' option.

Friedrich

Darko,

> "Not Found"

Could you please try it again? Too many simultaneous downloads....

Thanks,
Friedrich

> HTTP 404 error
>
> That’s odd... Microsoft Edge can’t find this page

Could you please try it again? Oops. Too many simultaneous downloads....

Thanks,
Friedrich

Done at my work laptop and at home.

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

>
> Done at my work laptop and at home.
>

Perfect, thank you!!!

Friedrich

Sure and done!

Darko

>
> Sure and done!
>

Thank you, Darko !!!

Friedrich

On older Microsoft Internet Explorer versions, you see this (see attached
screenshots).

It is VERY IMPORTANT to build a reputation for new code-signing certificates
with Internet Explorer and/or Microsoft Edge.

Friedrich

done

--
Guennadi

>
> done
>

Thank you, Guennadi!

Friedrich

done

--
--
Leonid Chudakov
Cool Tools and Clarion Examples at
http://www.klarisoft.com

Done.

But what happens when I start to use SHA-2 to sign my programs via
Setupbuilder ? Will it be almost impossible for my customers to find the Run
button untill I have a good Reputation, or will i benefit from the
reputation you are earning ?

Best regards
Viggo Poulsen
Vipilon

Hi Viggo,

> Done.

Thank you!

> But what happens when I start to use SHA-2 to sign my programs via
> Setupbuilder ? Will it be almost impossible for my customers to find the
> Run button untill I have a good Reputation, or will i benefit from the
> reputation you are earning ?

If you already have earned a reputation for your current certificate and you
switch from SHA-1 to SHA-2 or dual SHA-1/SHA-2 signing then you are still
using the same certificate. But if you have a SHA-1 certificate that
expires after January 1, 2016 and you ask Comodo to replace it with a new
SHA-2 certificate (the same expiration date) then you'll have again zero
reputation. In this case it's better to order a fresh 3-year certificate
for $200 to be on the safe side for the next three years <g>.

Friedrich

>
> done
>

Thank you, Leonid !!!

Friedrich

You must have a good reputation....

I tried on my win 7 host, a win 8 VM, and two Win10 VMs.... No warnings.
How come I always miss out on the fun ???

jf

Hi Jane,

> You must have a good reputation....
>
> I tried on my win 7 host, a win 8 VM, and two Win10 VMs.... No warnings.
> How come I always miss out on the fun ???

WOW! COOL!!! :-)

I think you came too late to the party <g> Seems the reputation level
changed a few minutes ago. When I download/run now there is no warning.

Friedrich

Story of my life. Always too late with too little. Sigh <g>

jf

>
> Story of my life. Always too late with too little. Sigh <g>
>

<ROFL> ;-)

Friedrich

Done!

--

Russ Eggen
RADFusion International, LLC

>
> Done!
>

Thank you, Russ.

Friedrich

Done.
5 machines.

Johan de Klerk

> Done.
> 5 machines.

Thank you, Johan !!!

Friedrich

Friedrich,

> I need your help.

How do I know I can trust you... I mean, really, HOW?!<g>

You SAY you're Friedrich Linder and you SAY you wrote this program but
we've never actually met so what do I base my trust on?


Seems I overslept today... dang it!

Glad you got things handled now where is MY copy of SB10?!?!?!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

Friedrich,

Getting the following message when try to access using given link:

"The requested URL /projects/sb10_reputation.exe was not found on this
server."

Barton

Barton Whisler
Prosoft Inc.
Tampa, Florida

Lee,

>> I need your help.
>
> How do I know I can trust you... I mean, really, HOW?!<g>
>
> You SAY you're Friedrich Linder and you SAY you wrote this program but
> we've never actually met so what do I base my trust on?

Hey, Comodo checked my background and found it satisfactory. You trust
Comodo, Comodo trusts me. So you can trust me, too. A equals B equals C.
A therefore equals C <g>

> Seems I overslept today... dang it!
>
> Glad you got things handled now where is MY copy of SB10?!?!?!<g>

"Coming soon (TM)" <bg> ;-)

Friedrich

Done!

Stamos

>
> Done!
>

Thank you, Stamos!

Friedrich

> then you'll have again zero
> reputation. In this case it's better to order a fresh 3-year certificate
> for $200 to be on the safe side for the next three years <g>.

So, either way your reputation is trashed?

I just updated less than a year ago... so each time I get new
certificates I start over? I've got 2 years left I think... but it's
sha-1 according to the resulting exe.

--
Ray Rippey
VMT Software

Hi Friedrich,

> expires after January 1, 2016 and you ask Comodo to replace it with a new
> SHA-2 certificate (the same expiration date) then you'll have again zero
> reputation. In this case it's better to order a fresh 3-year certificate
> for $200 to be on the safe side for the next three years <g>.

What if you have a SHA-2 or dual certificate and get a new one in 2016
or 2017 or 2018 - there is no renewal in this context. It seems to me
that this is getting rather ridiculous if you need to have people
download binaries with your certificate to build "reputation" Next step
is probably to plug the downloading IP in there so the same IP
downloading or running more than once will be ignored;)

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

Ray,

> So, either way your reputation is trashed?
>
> I just updated less than a year ago... so each time I get new certificates
> I start over? I've got 2 years left I think... but it's sha-1 according to
> the resulting exe.

Yes, new standard Authenticode Code Signing Certificates have zero
reputation. Authenticode Certificates issued by a CA that is a member of
the Windows Root Certificate Program (e.g. Comodo) can establish reputation.
As the software or its publisher gains a better reputation, the likelihood
of a warning diminishes. Reputation based on signed software is based on
the associated code signing certificate and the reputation of the CA that
issued the code signing certificate.

If you have still two years left then I think you already have a SHA-2
compliant certificate. On and after September 8, 2014 Comodo issued SHA-2
certificates by default. Did you use the SHA-2 or "dual" SHA-1/SHA-2 method
to code-sign your file(s)? The standard code-signing process will always
use SHA-1.

Friedrich

Hi Arnor,

> What if you have a SHA-2 or dual certificate and get a new one in 2016 or
> 2017 or 2018 - there is no renewal in this context. It seems to me that
> this is getting rather ridiculous if you need to have people download
> binaries with your certificate to build "reputation" Next step is
> probably to plug the downloading IP in there so the same IP downloading or
> running more than once will be ignored;)

In fact, nothing changed in the last 17 years :-) New standard Authenticode
Code Signing Certificates always have ZERO reputation.

But in March 2009, Microsoft introduced an Application Reputation engine.
It evaluates whether the software has been previously encountered by
checking a large database of code that has been encountered and collected
from telemetry capabilities on Windows machines. In short, it looks at
whether a software vendor has been blacklisted or whitelisted.

So this "reputation reset" thing is not a new problem <g>.

Friedrich

Downloaded just now via Chrome then Chrome said "You gonna die!" but I
kept/ran it anyway.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> Downloaded just now via Chrome then Chrome said "You gonna die!" but I
> kept/ran it anyway.

Thank you!!! We need more downloads via Chrome to earn trust for the new
certificate from Chrome users.

Friedrich

I ran it under FireFox and Edge.

--

Russ Eggen
RADFusion International, LLC

>
> I ran it under FireFox and Edge.
>

Thank you, Russ!

Friedrich

Made it on one of my my Win 8 machines with FF, will do with Chrome onVista
tonight, to give you an extra lift. ;-)

We actually did not fool the system, didn't we. And it was so easy....

Wolfgang

Regards,
Wolfgang Orth
www.odata.de

> Made it on one of my my Win 8 machines with FF, will do with Chrome
> onVista tonight, to give you an extra lift. ;-)
>
> We actually did not fool the system, didn't we. And it was so easy....

Thank you, Wolfgang !!! :-)

This is an incredibly stupid moronic idiotic system and we just pimp our
"new" reputation a little bit <g> It simply does not make any sense to
reset the reputation level when a "renewed" certificate is issued (same
developer, same company, same address, same everything). Argh!!!

Friedrich

Hi Friedrich,

> But in March 2009, Microsoft introduced an Application Reputation engine.
> It evaluates whether the software has been previously encountered by
> checking a large database of code that has been encountered and collected
> from telemetry capabilities on Windows machines. In short, it looks at
> whether a software vendor has been blacklisted or whitelisted.

OK. But then why does it reset with a new certificate to the same
vendor? Just curious - it seems to me that the more I learn about code
signing, the less I trust it...

Best regards,


--
Arnor Baldvinsson - Icetips Alta LLC

Hi Arnor,

> OK. But then why does it reset with a new certificate to the same vendor?
> Just curious - it seems to me that the more I learn about
> code signing, the less I trust it...

Only Microsoft knows the answer <g> The WebTrusts (Comodo, Thawte, etc.) do
not have control over this.

Friedrich

> Please download and run the following small tool on as many machines as
> possible (see attached screenshots):
> http://www.lindersoft.com/projects/sb10_reputation.exe

Chrome, Win10, ESET Endpoint AV

Chrome just asked me if I'd like to discard or keep your .EXE file.
Works fine.

Marko