I was watching for all Friedrich's warnings about January 02 so I prepared
everything on my side to be able for dual signing,
sha-1 for xp users and sha-2 for the rest.

Now Friedrich says "no more dual signing" after 01.01?

Thanks for any explanation

Darko

Hi Darko,

> I was watching for all Friedrich's warnings about January 02 so I
> prepared everything on my side to be able for dual signing,
> sha-1 for xp users and sha-2 for the rest.
>
> Now Friedrich says "no more dual signing" after 01.01?
>
> Thanks for any explanation

This is an interesting question!

It's not written in stone yet. I really hope they (MS) will not make a
Windows update available to completely discontinue the use of SHA-1. But
maybe they already did, I don't know. The original plan was to remove SHA-1
from the mainstream operating systems.

As far as I can see, Windows 7 with the latest patches installed does not
allow dual SHA-1/SHA-2 code-signing any longer (this worked fine in the
past). So perhaps this already tells us what direction we should think in.

I have contacted Microsoft several times but have not received an official
statement. As far as I know, Windows will stop accepting SHA-1 signed code
and SHA-1 certificates that are time stamped after 1 January 2016. Not sure
if there is already a time bomb installed on older operating systems.

BTW, one WebTrust plans to continue issuing SHA-1 Code Signing Certificates
after January 1st, 2016. So perhaps they have internal information, I don't
know.

We have to see what happens on January 02, 2016 and then act accordingly.

Friedrich

> BTW, one WebTrust plans to continue issuing SHA-1 Code Signing
> Certificates after January 1st, 2016. So perhaps they have
> internal information, I don't know.

It's very well possible that this certificate type can only be used on
Windows XP to continue SHA-1 code-signing. Because Windows XP does not
support SHA-2, dual code-signing would not work here.

We have to see what will happen on January 02, 2016 :-(

Friedrich

Thanks Friedrich for your explanation,

One more detail in speculations, I thought that windows update for xp was
discontinued so maybe sha-1 will not be broken after 01.01. ie. it will work as
is?
Plus, you got me with win7, I already put in a production dual signed app's :-(

Darko

Hi Darko,

> Thanks Friedrich for your explanation,
>
> One more detail in speculations, I thought that windows update for
> xp was discontinued so maybe sha-1 will not be broken after 01.01.
> ie. it will work as is?

IMO, Windows XP will not stop accepting SHA-1 signed code and SHA-1
certificates that are time stamped after 1 January 2016 because it
is no a "mainstream" operating systems.

But the question is, will it still be possible to create NEW dual
code-signatures on and after January 02, 2016.

Friedrich

Hi Friedrich,

Last week we released our big yearly update release of our Clarion
application to our customers. Also *DUAL* signed (SHA-1 and SHA-2) as
per your instructions.

So what's going on now? Can you please explain? Do I have to rollback
our update release and only use SHA-2?!

Best regards,
Jeffrey

Hi Jeffrey,

> Last week we released our big yearly update release of our Clarion
> application to our customers. Also *DUAL* signed (SHA-1 and SHA-2)
> as per your instructions.
>
> So what's going on now? Can you please explain? Do I have to rollback our
> update release and only use SHA-2?!

Hmmm, why rollback your update? What you did was the correct path to take.
Windows will stop accepting SHA-1 signed code and SHA-1 certificates that
are time stamped AFTER January 1, 2016. Your files are time stamped BEFORE
January 1, 2016.

The million dollar question is: Can we still "dual" code-sign on January 02,
2016.

Friedrich

Hi Friedrich,

> Last week we released our big yearly update release of our Clarion
> application to our customers. Also *DUAL* signed (SHA-1 and SHA-2) as
> per your instructions.
>
> So what's going on now? Can you please explain? Do I have to rollback
> our update release and only use SHA-2?!

I'm confused as well on this? If MS stops accepting dual code signed
programs in January, then what is dual code signing good for?

Or will we need to have dual installs, with SHA1 and SHA2?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

> I'm confused as well on this? If MS stops accepting dual code signed
> programs in January, then what is dual code signing good for?

If you have "dual" SHA-1/SHA-2 code-signed *BEFORE* January 1, 2016 and time
stamped (VERY IMPORTANT!) your SHA-1 signature with a Microsoft Authenticode
compatible and the SHA-2 signature with a RFC 3161 compliant trusted time
stamp server then your files have a perfectly valid signature *AFTER*
January 1, 2016. In other words, you have valid signatures on all Windows
operating systems that support Authenticode. So *ALWAYS* use the cool dual
code-signing method (for maximum backward compatibility) as long as you can.

>
> Or will we need to have dual installs, with SHA1 and SHA2?
>

The question is, what will happen on and after January 2, 2016 !!!

1. Can we still "dual" SHA-1/SHA-2 code-sign to support older operating
systems?

2. Is there already a mechanism (time bomb) built into older Windows
operating systems (e.g. XP) so that SHA-1 signatures created and time
stamped AFTER January 1, 2016 will be treated as invalid?

3. Is there still a (supported) Windows operating system available that can
handle SHA-1 and/or dual SHA-1/SHA-2 code-signing on and after January 1,
2016?

So many questions and so few answers <g>.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Hi Friedrich,

Phew, you have just made me happy! :-)
Thank you!

Best regards,
Jeffrey

> Phew, you have just made me happy! :-)
> Thank you!

;-)

You are welcome!

Friedrich

Friedrich,

>If you have "dual" SHA-1/SHA-2 code-signed *BEFORE* January 1, 2016 and time
>stamped (VERY IMPORTANT!) your SHA-1 signature with a Microsoft Authenticode
>compatible and the SHA-2 signature with a RFC 3161 compliant trusted time
>stamp server then your files have a perfectly valid signature *AFTER*
>January 1, 2016.

what will happen with existing installations at customers with the old
certificates from 2014?

Will they continue to work in 2016?

On

# XP
# Vista
# Windows 7
# Windows 8.x
# Windows 10

Thanks
Wolfgang Orth
www.odata.de

Hi Wolfgang,

> what will happen with existing installations at customers with the old
> certificates from 2014?
>
> Will they continue to work in 2016?
>
> On
>
> # XP
> # Vista
> # Windows 7
> # Windows 8.x
> # Windows 10

Windows 7 and later platforms will stop accepting SHA-1 Code Signed software
without time stamps on January 1st, 2016. Software that includes a
Microsoft Authenticode compatible time stamp BEFORE January 1st, 2016 will
be accepted until January 14th, 2020.

It is not clear what will happen on Windows Vista (and earlier platforms) on
January 2, 2016.

On January 1, 2016, Windows 7 and later (earlier?) platforms will stop
accepting SHA-1 code signed software with stop trusting code that was signed
with a SHA-1 code-signing certificate and a timestamp of January 1, 2016 or
later.

Friedrich

Hi Friedrich,

> If you have "dual" SHA-1/SHA-2 code-signed *BEFORE* January 1, 2016
> and time stamped (VERY IMPORTANT!) your SHA-1 signature with a
> Microsoft Authenticode compatible and the SHA-2 signature with a RFC
> 3161 compliant trusted time stamp server then your files have a
> perfectly valid signature *AFTER* January 1, 2016. In other words, you
> have valid signatures on all Windows operating systems that support
> Authenticode. So *ALWAYS* use the cool dual code-signing method (for
> maximum backward compatibility) as long as you can.

OK, thanks for the clarification.

But what happens with installers that I code sign *after* January 1, 2016?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

> OK, thanks for the clarification.
>
> But what happens with installers that I code sign *after* January 1, 2016?

On January 1, 2016, Windows 7 and later platforms will stop accepting SHA-1
code signed software with stop trusting code that was signed
with a SHA-1 code-signing certificate and a timestamp of January 1, 2016 or
later.

So when you code-sign your software with SHA-2 *after* January 1, 2016 then
you are safe on Windows 7 and later.

But the question is, can we still "dual" SHA-1/SHA-2 code-sign *after*
January 1, 2016 to support both Windows 7 and later platforms and
pre-Windows 7 platforms. Windows 7 already stopped "dual" code-signing
mode.

If "dual" code-signing is still supported on "modern" Windows platforms then
we are safe because we can continue to support legacy Windows platforms
(such as Windows XP and Vista) and modern Windows version from the same code
base.

Friedrich

Friedrich,

Could you give us poor mortals an picture to look at?!<g>

Maybe the attached spreadsheet with...

"Yes" "No" or "Y" "N" or "True" "False" or "T" "F"

....entered into each cell?

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

I'd like to see that too.

Maybe add a slot for every day of the week until Jan 1 so we can track
the history of changes. <g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> Maybe add a slot for every day of the week until Jan 1 so we can track
> the history of changes. <g>

<g>

Lee White

Lee,

> Could you give us poor mortals an picture to look at?!<g>
>
> Maybe the attached spreadsheet with...
>
> "Yes" "No" or "Y" "N" or "True" "False" or "T" "F"
>
> ....entered into each cell?

<G> No problem and a very good idea. I'll work on it this weekend ;-)

Friedrich

Hi Friedrich,

> pre-Windows 7 platforms. Windows 7 already stopped "dual" code-signing
> mode.

What exactly does that mean? That Win7 does not accept dual code signed
exes?

> If "dual" code-signing is still supported on "modern" Windows platforms then
> we are safe because we can continue to support legacy Windows platforms
> (such as Windows XP and Vista) and modern Windows version from the same code
> base.

F... mess, that's all I can say;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

>> pre-Windows 7 platforms. Windows 7 already stopped "dual" code-signing
>> mode.
>
> What exactly does that mean? That Win7 does not accept dual code signed
> exes?

Yes, dual code-signing worked fine on Windows 7 SP1 (without "SP1" it never
worked) but one of the later updates stopped it.

>> If "dual" code-signing is still supported on "modern" Windows platforms
>> then we are safe because we can continue to support legacy Windows
>> platforms (such as Windows XP and Vista) and modern Windows version from
>> the same code
>> base.
>
> F... mess, that's all I can say;)

YES ;-) And the cool thing is, they are already working on SHA-3 <vbg>.

Friedrich

Hi Friedrich,

> Yes, dual code-signing worked fine on Windows 7 SP1 (without "SP1" it
> never worked) but one of the later updates stopped it.

I'm sorry for being dense<g> How do you define "working" in this
context? Is that the installer will not run, or will it just throw the
"untrusted" warning when it runs?

My concern is this: I release anywhere from 5-50 builds total of my
products every year. If dual code signing is not going to be supported
in Windows 7-10 after January 1st, 2016 then it doesn't really do me any
good, except from now to the next release (which could be later this
year or early next year)

So, should I even bother with it? I DO know that there are some of my
customers using C6 (or even 5.5) on XP virtual machines which then do
not support SHA2. But what will happen on those machines? Will the
installer simply throw the regular warning about the author not be
trusted, or will the installer not work at all? If the former, I don't
really care.

> YES ;-) And the cool thing is, they are already working on SHA-3 <vbg>.

One could hope that those Certification entities might grow some sense
by then, but I think that's too much expectation...

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

> I'm sorry for being dense<g> How do you define "working" in this context?
> Is that the installer will not run, or will it just throw the "untrusted"
> warning when it runs?

Absolutely no problem <g>.

"Stop working" in this context means that you can't handle "dual"
code-signing on Windows 7 when you try to compile your application files or
the setup.exe. So it is impossible to add a "dual" SHA-1/SHA-2 signature to
your files when using Windows 7. At the moment, dual code-signing works
reliable on Windows 10 and Windows 8.1.

> My concern is this: I release anywhere from 5-50 builds total of my
> products every year. If dual code signing is not going to be supported in
> Windows 7-10 after January 1st, 2016 then it doesn't really do me any
> good, except from now to the next release (which could be later this year
> or early next year)
>
> So, should I even bother with it? I DO know that there are some of my
> customers using C6 (or even 5.5) on XP virtual machines which then do not
> support SHA2. But what will happen on those machines? Will the installer
> simply throw the regular warning about the author not be trusted, or will
> the installer not work at all? If the former, I don't really care.

If the "User Account Control: Only elevate executables that are signed and
validated" security policy is enabled and the signature is invalid (e.g.
when there is only a SHA-2 signature but the system does not fully support
SHA-2) then the installer will not start. And if there is no valid
signature then anti-virus and anti-spyware tools might begin to "dislike"
the software. The protection tools might block the software, remove the
software, etc.

Next problem is that there are XP, Windows Vista, Windows Server 2008, and
Windows 7 (without service pack). These operating systems do not or do not
fully support SHA-2. But most developers still have to support outdated
operating systems. It would be a nightmare to compile separate SHA-1 and
SHA-2 versions.

>> YES ;-) And the cool thing is, they are already working on SHA-3 <vbg>.
>
> One could hope that those Certification entities might grow some sense by
> then, but I think that's too much expectation...

<g>. I agree 100% ;-)

Friedrich

Hi Friedrich,

> "Stop working" in this context means that you can't handle "dual"
> code-signing on Windows 7 when you try to compile your application
> files or the setup.exe. So it is impossible to add a "dual"
> SHA-1/SHA-2 signature to your files when using Windows 7. At the
> moment, dual code-signing works reliable on Windows 10 and Windows 8.1.

Ok, so it's the actual code signing side of it! OK, then it's no
problem:) But curious: What errors would I see in SB in case it fails?

> If the "User Account Control: Only elevate executables that are signed
> and validated" security policy is enabled and the signature is invalid
> (e.g. when there is only a SHA-2 signature but the system does not
> fully support SHA-2) then the installer will not start. And if there
> is no valid signature then anti-virus and anti-spyware tools might
> begin to "dislike" the software. The protection tools might block the
> software, remove the software, etc. Next problem is that there are XP,
> Windows Vista, Windows Server 2008, and Windows 7 (without service
> pack). These operating systems do not or do not fully support SHA-2.
> But most developers still have to support outdated operating systems.
> It would be a nightmare to compile separate SHA-1 and SHA-2 versions.

Yeah, not doing that and I'm NOT going back to re-code sign 200+
installers;) But there is no problem with the old OS accepting dual
signed even if they don't support SHA-2, right?

Never a dull moment in the salt mines, eh?<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> Ok, so it's the actual code signing side of it! OK, then it's no
> problem:) But curious: What errors would I see in SB in case it fails?

Please see the attached screenshot (Windows 7 machine).

SHA1: 0
SHA2: 1

"1" means error. This worked fine a few months ago. No way to create a
valid SHA-1/SHA-2 signature :-(

> Yeah, not doing that and I'm NOT going back to re-code sign 200+
> installers;) But there is no problem with the old OS accepting dual
> signed even if they don't support SHA-2, right?

Right!

>
> Never a dull moment in the salt mines, eh?<g>
>

<BG> ;-)

Friedrich

Hi Friedrich,

> Please see the attached screenshot (Windows 7 machine). SHA1: 0 SHA2:
> 1 "1" means error. This worked fine a few months ago. No way to create
> a valid SHA-1/SHA-2 signature :-(

Good to know! And that would only be reported on SHA-1

>> Yeah, not doing that and I'm NOT going back to re-code sign 200+
>> installers;) But there is no problem with the old OS accepting dual
>> signed even if they don't support SHA-2, right?
> Right!

Excellent! This stuff can drive a man to drink... Have lost count of
the coffee mugs today<g> Have a good weekend!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC