All,

I need your help again. Google Chrome still does not trust our new SHA-2
certificate. Microsoft Internet Explorer and Microsoft Edge work fine.
This is a very frustrating situation and we have opened a ticket with
Chromium. The problem is that we can't release SetupBuilder 10 until we
have resolved this issue. Otherwise, we would run into a support nightmare.

It would be great if you could help me.

Please make sure that you have enabled the "Automatically report details of
possible security incidents to Google" option (requires a Chrome restart if
you switch it to on) in your Google Chrome.

1. Go into chrome://settings and turn on "Automatically report details of
possible security incidents to Google" (you'll have to click the "Show
advanced settings..." item to see it).

2. Please download and run the following small tool on as many machines as
possible (see attached screenshots):
http://www.lindersoft.com/downloads/sb10_chrome_test.exe

3. Click the very skinny button next to that big Discard button, then click
"Keep".

4. Click the downloaded file and run it.

I guarantee, the above SetupBuilder generated application WILL NOT harm your
system. It just ask for elevation and displays a "SetupBuilder 10" dialog.

Thank you for your help!

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

I have used it and chrome did not complain.
It downloaded file without warnings and u runned it, windows asked me if I
wanted to run the file.

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

I did it and I don't see any warning downloading with Chrome

Darko

> 3. Click the very skinny button next to that big Discard button, then
> click "Keep".

Same as kzendra, no "Discard" dialog here - chrome just let me run it...

Simon Kemp

kzendra,

> I have used it and chrome did not complain.
> It downloaded file without warnings and u runned it, windows asked me if I
> wanted to run the file.

AMAZING! Did they really fix it so fast??? I have opened a ticket with
Chromium, but have not received an answer yet. Download it again from here
and no warning. Wow!!!

Thanks so much for your help!

Friedrich

Darko,

> I did it and I don't see any warning downloading with Chrome

All I can say is Wow Wow Wow!! The SHA-2 signed file works fine now and
even my initial one:

http://www.lindersoft.com/projects/sb10_reputation.exe

All this did not work 15 minutes ago...

Friedrich

Thank you, Darko !!!

Friedrich

Simon,

>> 3. Click the very skinny button next to that big Discard button, then
>> click "Keep".
>
> Same as kzendra, no "Discard" dialog here - chrome just let me run it...

Unbelievable! Thanks so much for the confirmation and your help!

The question is, what "fixed" it? All the downloads to build a trust or the
ticket I opened an hour ago.

Thanks again!

Friedrich

Do you have any hair left? <g>

Simon Kemp

>
> Do you have any hair left? <g>
>

Call me Kojak <bg> That was a nightmare!!!!

Friedrich

> I need your help again. Google Chrome still does not trust our new SHA-2
> certificate. Microsoft Internet Explorer and Microsoft Edge work fine.
> This is a very frustrating situation and we have opened a ticket with
> Chromium. The problem is that we can't release SetupBuilder 10 until we
> have resolved this issue. Otherwise, we would run into a support nightmare.
>
> It would be great if you could help me.

done it on Chrom Version 45.0.2454.93
see attached image

--

best regards,
Guennadi

Guennadi,

> done it on Chrom Version 45.0.2454.93
> see attached image

Interesting. Thanks for the information!

I am also using:

Chrome version: 45.0.2454.93 Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 18.0 r0

Does not give any warning any longer for all files code-signed with the new
SHA-2 certificate here (tested from different IPs and machines). Did not
work two hours ago, then I opened a ticket. Very strange.

Friedrich

updated to Version 45.0.2454.99 m

the same message


--

best regards,
Guennadi

> updated to Version 45.0.2454.99 m
>
> the same message

Updated Chrome to 45.0.255499 m and still no warning.

Perhaps Google has to "mirrow" the certificate status. I have sbsolutely no
idea. But all this is very suspect.

Friedrich

Guennadi,

Do you have the "Automatically report details of possible security incidents
to Google" option enabled?

Friedrich

Ye-Ha

No [Discard] warning here. All looking good.

JohnG

Forgot to mention, your original sb10_reputation.exe also now does a clean
download.

John

Hi John,

> Forgot to mention, your original sb10_reputation.exe also now does
> a clean download.

Perfect !!! Thanks so much for your help !!!!!

But files signed with the OLD code-signing certificat give a warning now,
right?

http://www.lindersoft.com/projects/sb10_reputation_old.exe

-or-

http://www.lindersoft.com/sb8trial/sb8_Dev_Trial_NoHelp.exe

Friedrich

> Do you have any hair left? <g>
>

:-D

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

Version 45.0.2454.99 m
You are out of date :-)

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

>But files signed with the OLD code-signing certificat give a warning now,
>right?

Yes, they are now a problem :-( They both gave me the [Discard] warning.

John

John,

>>But files signed with the OLD code-signing certificat give a warning now,
>>right?
>
> Yes, they are now a problem :-( They both gave me the [Discard] warning.

Only Google knows... <G> Looking forward to the January 02, 2016 SHA-1
switch off day. Oh boy... We'll need a lot of Popcorn for this day.

Friedrich

both downloads with warnings

Darko

Darko,

>
> both downloads with warnings
>

Exactly what I see here. I think what Google did this morning is they
killed the trust of the old certificate and enhanced reputation of the new
one. I really would like to know how all this works behind-the-scenes.
Interesting and scary thing...

Friedrich

That is the reason I do updates from inside the program.
First install is complicated thing and is 99.99% done by trained person.
Update process does not use browser, just NetTalk, some hash checking and
so on :-)

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

kzendra,

> That is the reason I do updates from inside the program.
> First install is complicated thing and is 99.99% done by trained
> person. Update process does not use browser, just NetTalk, some
> hash checking and so on :-)

This will only work as expected after January 02, 2016 if there are NO
protection systems involved (e.g. anti-spyware and anti-virus) <g>. These
systems are all connected to the Microsoft SmartScreen engine and the Google
"trust database". Be prepared that all the smart systems put files with an
invalid signature (e.g. SHA-1) into quarantine sooner or later <g>. And
then the hell breaks loose...

Friedrich

The "Year 2000" problem was a joke compared to the SHA-1 switch-off day.

Friedrich

Hmmm, that's the bridge we'l cross, sometimes in 2016 :-)

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

ran for me without any warnings from Chrome

Tony Tetley

>
> ran for me without any warnings from Chrome
>

Thank you, Tony !!!

Friedrich

> Guennadi,
>
> Do you have the "Automatically report details of possible security incidents
> to Google" option enabled?

Yes, exactly, it is ON.


--

best regards,
Guennadi

>> Do you have the "Automatically report details of possible security
>> incidents to Google" option enabled?
>
> Yes, exactly, it is ON.

Hmmm, that is very weird. The new certificate seems to be trusted now (and
the old one is "disabled").

Friedrich

That's the version I have, as well.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Worked here

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

>
> Worked here
>

Thanks, Jeff !!!

Friedrich

Just tried this here - no warnings, no problems. Again - worked fine.

Andy Morgan

Ran with no warnings.

Jan Fleming

>
> Just tried this here - no warnings, no problems. Again - worked fine.
>

Perfect! Thanks, Andy.

Friedrich

>
> Ran with no warnings.
>

Cool !!! Thanks so much, Jane.

Friedrich

Hi Friedrich,

> 3. Click the very skinny button next to that big Discard button, then click
> "Keep".

The "Discard" was a no-show:) Downloaded and ran without any sh** from
Chrome:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

> The "Discard" was a no-show:) Downloaded and ran without any sh** from
> Chrome:)

:) THANK YOU !!!!!

Friedrich

Wow, crazy. Look at this. Windows 7 SP1 machine running Chrome and a
Windows 10 running Chrome. Same Chrome version, same IP address, same
download file, same time, but different reputation results.

That is not funny, Google <g>. I give up...

Friedrich

Done!

No security warning

Best regards

Edvard

> Done!
>
> No security warning

Thank you, Edvard !!!

Friedrich

>AMAZING! Did they really fix it so fast??? I have opened a ticket with
>Chromium, but have not received an answer yet. Download it again from here
>and no warning. Wow!!!

Nich so schnell mit die jungen Ferde!

See screenshot screenshot_Chrome_SB10.JPG

It shows my third attempt, hence the (2).


Regards,
Wolfgang Orth
www.odata.de

Friedrich,

my settings: screenshot_Chrome_settings.JPG


Regards,
Wolfgang Orth
www.odata.de

Hi Wolfgang,

> Nich so schnell mit die jungen Ferde!
>
> See screenshot screenshot_Chrome_SB10.JPG
>
> It shows my third attempt, hence the (2).

Luckily it seems to work fine for 99% of the users now. I think what you
see is a "machine specific" Chrome thing.

Look at this: same Google Chrome version, same ISP and IP, same download
location, same time, but different operating systems.

http://www.lindersoft.com/forums/showthread.php?46881&p=85046#post85046

Friedrich

downloaded and ran without any security warnings.

Hyrum Tatton

>
> downloaded and ran without any security warnings.
>

Thank you, Hyrum !!!

Friedrich

Hi Wolfgang,

Interesting test results /see attached screenshots). Tested from a Windows
7 SP1 (not updated to the latest patch level) virtual machine and a Windows
10 virtual machine. Same Chrome version, same ISP and IP, etc.

Windows 7 SP1 can not even see the SHA-2 signature and gives a warning. No
problem on Windows 10.

Friedrich

>Windows 7 SP1 can not even see the SHA-2 signature and gives a warning. No
>problem on Windows 10.

As you may have noticed, I ran it on Vista SP2.

Someone has to do it....!

<g>


Regards,
Wolfgang Orth
www.odata.de

Hi Wolfgang,

> As you may have noticed, I ran it on Vista SP2.
>
> Someone has to do it....!

Oh...well... that explains it <g>. When you check the code-signature of the
downloaded file, do you see both SHA-1 and SHA-2 signatures? I am trying to
understand how this Google Chrome reputation thing works in practice. As
far as I can see, Google Chrome's reputation engine needs a specific Windows
patch level to work correctly.

Tested it on Windows 8.0, 8.1 and Windows 10 and all is perfect. On some
Windows 7 machines it gives a warning. Remember, always the same Chrome
version and the same Internet Service Provider & IP. Just tested it on
Vista Business and it works fine after Windows updated its revoking list
(see attached screenshots). But Vista can only see the SHA-1 signature.

Friedrich

me too
cheers
Dave Beggs

> me too

Thank you, Dave !!!

Friedrich

Friedrich,

> Oh...well... that explains it <g>.

The phrase you may be looking for...<g>

"Thanks for the support nightmare, Mr. Bill!"

Lee White

>> Oh...well... that explains it <g>.
>
> The phrase you may be looking for...<g>
>
> "Thanks for the support nightmare, Mr. Bill!"

<VBG> ;-)

Friedrich

Hi Friedrich,

> 2. Please download and run the following small tool on as many machines as
> possible (see attached screenshots):
> http://www.lindersoft.com/downloads/sb10_chrome_test.exe

FWIW I ran this again on my laptop and got no warning - but I've lost
track of what and where I got warnings<g> Hopefully this IS getting
resolved:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Worked ok with no warnings on my dev pc. Will try it on laptop and a couple
of others this weekend.

Skip

> Worked ok with no warnings on my dev pc. Will try it on laptop and a
> couple of others this weekend.

Thank you, Skip !!!

Friedrich

>> As you may have noticed, I ran it on Vista SP2.
>>
>> Someone has to do it....!
>
>Oh...well... that explains it <g>.

Now you see, what burden I am willing to carry for you!

> When you check the code-signature of the
> downloaded file, do you see both SHA-1 and SHA-2 signatures?

See attached screenshot - hth


Regards,
Wolfgang Orth
www.odata.de

Hi Wolfgang,

> Now you see, what burden I am willing to carry for you!

<G>

> See attached screenshot - hth

Yes, that is the expected result on your Vista patch level :-) The file is
dual SHA-1/SHA-2 code-signed and on your machine the SHA-1 signature is
valid.

Friedrich

>Yes, that is the expected result on your Vista patch level :-) The file is
>dual SHA-1/SHA-2 code-signed and on your machine the SHA-1 signature is
>valid.

And Chrome on my Vista still suggests to "discard".


Regards,
Wolfgang Orth
www.odata.de