NewsArchive
09-17-2015, 06:43 AM
All,
Yes, we have developed a migration plan for our old SHA-1 code signing
certificate. SHA-1 "switch-off" day is in 2568 hours. After 1 January
2016, you have to dual SHA-1/SHA-2 (or SHA-2) code-sign your files using
Microsoft Authenticode compatible time stamp and RFC 3161 compliant trusted
time stamp servers. In other words, we have to re-compile all SetupBuilder
codes and code-sign all the DLLs and EXEs with our new SHA-2 certificate.
Why? Because Windows, Internet browsers, anti-virus and anti-spyware don't
like invalid code-sign signatures at all!
No problem, right? Wrong :-(
There are some SetupBuilder components which work rock solid for 7+ years --
there was no need to touch the source code, not in SetupBuilder 6.x or 7.x
or 8.x. They are still signed with a code-signing certificate that expired
in September 2010. But the files are timestamped and so the signatures are
perfectly valid. This will change on January 2nd, 2016.
Our original plan was to re-compile all components. To be honest, it makes
me a bit nerveous to re-compile perfectly working components just to
code-sign them. It's complex process that leaves lots of room for errors
:-(
So perhaps I'll change plans and try to find the original (not signed)
DLLs/EXEs and then re-sign them with the new SHA-2 certificate.
IMO, all this is a nightmare. So my suggestion to you is, developed a
migration plan for your old SHA-1 code-signing certificate and SHA-1
signinged files soon !!!
Friedrich
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)
--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
Yes, we have developed a migration plan for our old SHA-1 code signing
certificate. SHA-1 "switch-off" day is in 2568 hours. After 1 January
2016, you have to dual SHA-1/SHA-2 (or SHA-2) code-sign your files using
Microsoft Authenticode compatible time stamp and RFC 3161 compliant trusted
time stamp servers. In other words, we have to re-compile all SetupBuilder
codes and code-sign all the DLLs and EXEs with our new SHA-2 certificate.
Why? Because Windows, Internet browsers, anti-virus and anti-spyware don't
like invalid code-sign signatures at all!
No problem, right? Wrong :-(
There are some SetupBuilder components which work rock solid for 7+ years --
there was no need to touch the source code, not in SetupBuilder 6.x or 7.x
or 8.x. They are still signed with a code-signing certificate that expired
in September 2010. But the files are timestamped and so the signatures are
perfectly valid. This will change on January 2nd, 2016.
Our original plan was to re-compile all components. To be honest, it makes
me a bit nerveous to re-compile perfectly working components just to
code-sign them. It's complex process that leaves lots of room for errors
:-(
So perhaps I'll change plans and try to find the original (not signed)
DLLs/EXEs and then re-sign them with the new SHA-2 certificate.
IMO, all this is a nightmare. So my suggestion to you is, developed a
migration plan for your old SHA-1 code-signing certificate and SHA-1
signinged files soon !!!
Friedrich
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)
--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner