Sorry, new to all this! Trying to follow Jane's instructions...

I registered a code signing cerificate with Comodo, and it is showing up in IE.

1. Where is the .pvk file?

2. I exported the certificate (including the private key) from IE and it
created a .pfx file - is that file a suitable .pfx file for codesigning with
SB?

Liam

Hi Liam

The .pfx file is all you need (and your password :-)

JohnG

Thanks John, that's good to hear because I can't find the .pvk, or .spc files!

Liam

Liam,

>
> Thanks John, that's good to hear because I can't find the .pvk, or .spc
> files!
>

The .pvk and .spc files are a thing from the past. On modern Windows
operating systems with support for UAC (Vista+), the Authenticode components
can't create .pvk/.spc.

Friedrich

Supplemental Question...

I code signed the installer and when I review the exe certificate it is SHA1.

How can I get it to generate a SHA2 when code signing the installer and app
when the .pfx file is created by the IE export?

Liam

OK, got it to work using the SB10 Tips & Tricks #1: Dual SHA-1/SHA-2
code-signing example posted recently, which added SHA1 and SHA2 to the
installer, so the .pfx file seems to be OK

So I need to manually add ..

#pragma CODESIGN_SHA = "2"

...to the script to get SHA2, not sure why it's not an option from the SetupScript Editor?

Liam

> So I need to manually add ..
>
> #pragma CODESIGN_SHA = "2"
>
> ...to the script to get SHA2, not sure why it's not an option from the
> SetupScript Editor?

Hmmm, but it is an option in the SetupScript Editor, isn't it? <g>.

#pragma CODESIGN_SHA = "2" can only be used in SetupScript to specify
additional options. We need it to support SHA-1, SHA-2 or SHA-1/SHA-2. The
default is SHA-1 because most developers are still not SHA-2 ready.

But the #pragma CODESIGN_SHA option will become history on January 02, 2016
(in 47 days <g>).

Friedrich

Thanks Friedrich, I was following Jane's help included with SB - I later found
the updated Code Signing post in your online forum.

Liam

> Thanks Friedrich, I was following Jane's help included with SB - I later
> found the updated Code Signing post in your online forum.

BTW, it is possible to convert a .pfx into a .pvk/.spc. But of course, it's
not recommended.

Some users are still using XP to request their certificate in form of
..pvk/.spc.

Friedrich

<g>

See attached - I had "Script Editor" highlighted when I was making the post so
I thought the "Whatever it is called on the left" was called SetupScript
Editor.

I thought if you can specify the TimeStamp URL from a droplist you should be
able to select SHA1/SHA2 from a droplist.

Searching for SHA2 in the help doesn't lead to an explanation of how to implement it.

Despite all the information on code signing in SB, I still had to look in about
6 different places until I finally figured out how to do it. I'm sure it will
become easier, but I was warned there was a steep learning curve for SB!

e.g. This post by Stu Andrews (2009) is the only place I've found that
specifically says where to call the code signing, it's not in the help so far
as I can see...

http://stuandrews.com/2009/01/code-signing-your-own-exesdlls-in-setupbuilder/

Just my first impressions, no offence intended.

Liam

Hi Liam,

> See attached - I had "Script Editor" highlighted when I was making the
> post so I thought the "Whatever it is called on the left" was called
> SetupScript Editor.

Aha, okay. The "Script Editor" gives you access to the SetupScript powered
script (language). And in SetupScript you have the option to set a #pragma
to control the code-signing type (SHA-1 = "1", SHA-2 = "2", SHA-1/SHA-2 =
"12").

> I thought if you can specify the TimeStamp URL from a droplist you should
> be able to select SHA1/SHA2 from a droplist.

If it could be that easy <g>. But unfortunately, this is not possible.
There are too many different #pragma settings available. And most
developers set the #pragma at compile time from automated command line tools
or via a SKU or Release. A droplist would be a huge limitation in a
#pragma.

>
> Searching for SHA2 in the help doesn't lead to an explanation of how to
> implement it.
>

Yes, you are right. SHA-2 is pretty new, but all this will become history
in 47 days. Then SHA-1 or dual SHA-1/SHA-2 will be disabled. SHA-2 will be
the only possible code-signing option (and no need to use CODESIGN_SHA,
CODESIGN_TSTYPE and CODESIGN_TSSHA1URL any longer).

> Despite all the information on code signing in SB, I still had to look in
> about 6 different places until I finally figured out how to do it. I'm
> sure it will become easier, but I was warned there was a steep learning
> curve for SB!

I agree. Application deployment is very complex. We have a manual to cover
the pure basics (yes, still room for improvements), then the "Learning
SetupBuilder Part I", and the online forum with all the tips and tricks,
suggestions and questions. Unfortunately, it is absolutely impossible to
make an "all-in-one" resource available :-(

> e.g. This post by Stu Andrews (2009) is the only place I've found that
> specifically says where to call the code signing, it's not in the help so
> far as I can see...
>
> http://stuandrews.com/2009/01/code-signing-your-own-exesdlls-in-setupbuilder/

See attached. It's in the help file. Because "#code-sign application..."
is a compiler directive, you can call it wherever you want.

>
> Just my first impressions, no offence intended.
>

Thank you for your feedback!

Friedrich

> Yes, you are right. SHA-2 is pretty new, but all this will become
> history in 47 days. Then SHA-1 or dual SHA-1/SHA-2 will be disabled.
> SHA-2 will be the only possible code-signing option (and no need to
> use CODESIGN_SHA, CODESIGN_TSTYPE and CODESIGN_TSSHA1URL any longer).

Received emails with regard to the above statement.

Microsoft plans to "disable" SHA-1 on January 02. 2016. In other words,
SHA-1 or dual SHA-1/SHA-2 code-signing will not be possible on and after
January 02, 2016.

Friedrich

Thanks Friedrich,

I appreciate Jane's document, but for a newcomer, Stu's article was much
clearer about how to do it, where to place the #pragma for instance.

I'll learn <g>

Liam

Thanks Friedrich,

I appreciate that things are changing in this area, but I was a little confused
because pfx is marked as "Optional", but pvk/spc were not, so I thought that I
had to have them.

Liam

Liam,

> I appreciate that things are changing in this area, but I was a little
> confused because pfx is marked as "Optional", but pvk/spc were not, so
> I thought that I had to have them.

Yes, it's a bit confusing. SetupBuilder can handle both .PFX and .PVK/.SPC
code-sign certificate types. Last year, about 65% (2013: 98%) of the newly
SB issued Comodo certificates were .PVK/.SPC. This year, 99% of the newly
issued SB Comodo certificates are .PFX types. But at the moment, 75% of the
code-sign certificates (with an expiration date in 2016 or later) are
..PVK/.SPC. So for the masses, .PFX is still optional <g>. Of course, this
will change in a few weeks.

With the SetupBuilder January 2016 update, we'll completely remove support
for .PVK/.SPC (and SignCode.exe).

Friedrich