Hi,

My main development machine is running Windows XP SP3 32Bit.
I have already tested my own compile manager on Windows 8.1 64Bit and I can
Dual Code Sign with SHA1 & SHA2 or just one of the two.

It is going to be a hassle to transfer all my app files from the Win XP
machine to the Win 8.1 machine just for code signing as SHA2.

Can Windows XP SP3 be used to code sign SHA2?
If so what do I need to install?

All help would be appreciated.

Regards

Johan de Klerk

Hi Johan,

> My main development machine is running Windows XP SP3 32Bit.
> I have already tested my own compile manager on Windows 8.1 64Bit and I
> can Dual Code Sign with SHA1 & SHA2 or just one of the two.
>
> It is going to be a hassle to transfer all my app files from the Win XP
> machine to the Win 8.1 machine just for code signing as SHA2.
>
> Can Windows XP SP3 be used to code sign SHA2?
> If so what do I need to install?

You need a very specific signtool.exe (which requires a modern Windows
operating system) to handle SHA-2 and dual SHA-1/SHA-2 code-signing.
Windows XP does not support it. I am using Windows 10 and signtool.exe
version 10 for code-signing now.

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Ouh, that's a new one for me :-O

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

Which library does the signing?
It should work, any limit I know for XP is that .Net 4.5 does not work, and
I think that SHA2 is in .Net 2.0, so that is not the problem.

Kzendra
--
It ain't the fall that kills you
It's the sudden stop at the bottom.

kzendra,

> Which library does the signing?
> It should work, any limit I know for XP is that .Net 4.5 does not work,
> and I think that SHA2 is in .Net 2.0, so that is not the problem.

You need at least Signtool.exe version 6.3.9600.16384. Version
6.2.9200.16384 is too buggy. The modern signtool generation requires
specific Authenticode components (which are not available in XP).

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Hmm, in that case, documentation is somewhat incomplete.

http://blogs.msdn.com/b/alejacma/archive/2009/01/23/sha-2-support-on-windows-xp.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=8279

Both theese state that it should work on xp sp3...

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

Hi kzendra,

> Hmm, in that case, documentation is somewhat incomplete.
>
> http://blogs.msdn.com/b/alejacma/archive/2009/01/23/sha-2-support-on-windows-xp.aspx
> http://www.microsoft.com/en-us/download/details.aspx?id=8279

You need (at least) Authenticode tools version 6.2.9200.16384 (from the
Windows 8 SDK) to handle dual SHA-1/SHA-2 signing. But 6.2 causes lots of
trouble, so you should use 6.3.9600.16384 (from the Windows 8.1 SDK) or
better version 10. Unfortunately, 6.2 and 6.3 (or 10) tools do not work on
Windows XP SP3.

Autheticode 6.1.7600.16385 can handle SHA-1 signing on Windows XP SP3 but
fails on SHA-2 or dual SHA-1/SHA-2 signing. On later Windows OS it can
handle SHA-2 signing but not dual SHA-1/SHA-2.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Thanks
Sometimes (usualy) it's better to hear answer from user than to read it
from MS documentation :-)

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

kzendra,

> Thanks
> Sometimes (usualy) it's better to hear answer from user than to read it
> from MS documentation :-)

;-)

I learned it the hard way. Spent quite a few weeks doing research and
development for SHA-1/SHA-2. And there are still open questions <g>.

Friedrich