All,

Here we go. Windows 10 installed a security patch this morning. I have
downloaded my test executable, code-signed with my old SHA-1 certificate on
January 05, 2016.

And here are the results.... ;-) See attached screenshots.

For code signing certificates, Windows stopped accepting SHA-1 signed code
and SHA-1 certificates that are time stamped after 1 January 2016 amd have a
"Mark of the Web" attribute. A "Mark of the Web" attribute means that the
executable is flagged as downloaded from an untrusted source (e.g. the
Internet). Code signature status behavior might depend on specific Policy
settings and Trusted Zones, and SmartScreen data may be used to allow
certificates with good reputation.

SHA-1 signed code time stamped by an RFC 3161 Time Stamp Authority before 1
January 2016 will be accepted until such time when Microsoft decides SHA-1
is vulnerable to pre-image attack.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

FYI: if you check the digital signature status of the file, it reports "This
digital signature is OK". But if you try to run the executable, it gives
the "Windows protected your PC" message. This is inconsistent and
confusing, IMO.

Friedrich

-- Microsoft Security Advisory 3123479 --

Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate
Program (Published: January 12, 2016)

https://technet.microsoft.com/en-us/library/security/3123479

Microsoft has released a SHA-1 code sign deprecation change effective
January 1, 2016, focused on client activity that can only occur when a
customer downloads files from the Internet. This change is specific to a new
default setting for Windows and customers can override or augment the
default settings in their environment.

For customers running either Internet Explorer or Microsoft Edge who
download a SHA-1 signed file from the Internet that is timestamped and
released on January 1, 2016, or later, SmartScreen will mark the file as not
trusted. This status does not prevent customers from downloading the file or
running these browsers on their computers. But customers are warned of the
not trusted status of the file.

This change only affects Mark-of-the-Web (MOTW) files downloaded from the
Internet. Files timestamped before January 1, 2016, will continue to be
trusted. Drivers with signatures verified by Code Integrity are not affected
by this change. To conform to the latest requirements for driver signing,
see the Windows Hardware Certification blog.

> This is inconsistent and confusing, IMO.

Business as usual!

https://www.youtube.com/watch?v=slldMEPvUqA


:-)

Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.solidsoftware.com - ImageEx and RichReport templates!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Thanks for helping us to be ready for this :)

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Blame the messenger !!!!!! <g>

Jane Fleming

What is interesting is fact that i have all my programs SHA256 signed with
GoDaddy code signing cert, but cusstomers still get warnings when
downloading or running programs on all OS, XP to 10 and servers...

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

Friedrich,

The technet piece mentions "signed" after January 1. Doesn't seem to
specifically address the algorithm on the timestamp signature.

I did a little experiment with 4 files. All dual-signed. Two of the SHA-2
signatures have SHA-2 timestamp signatures, the other two have SHA-1.
Two of the files are unmanifested. Two requireAdministrator.

None of them seem to trigger warnings on Win 10 for me. Perhaps they're not
being sticklers yet about the timestamp signature security level?

http://www.beachbunnysoftware.com/misc/Sha1Time.exe
http://www.beachbunnysoftware.com/misc/Sha2Time.exe
http://www.beachbunnysoftware.com/misc/Sha1TimeAdmin.exe
http://www.beachbunnysoftware.com/misc/Sha2TimeAdmin.exe

jf

<g>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

kzendra,

> What is interesting is fact that i have all my programs SHA256
> signed with GoDaddy code signing cert, but cusstomers still get
> warnings when downloading or running programs on all OS, XP to
> 10 and servers...

Files signed with a new code signing certificate need to build reputation,
you'll have to earn "trust". Reputation is generated and assigned to
digital certificates as well as specific files. But digital certificates
allow data to be aggregated and assigned to a single certificate rather than
many individual programs.

Friedrich

What is the point then of commercial certificates? If it's working like
that, I can generate my own cert and use it...

I'we seen the topics about that in last year, but I was buried into work
and did not have the time to read everything :-)

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

Hi Jane,

> The technet piece mentions "signed" after January 1. Doesn't seem to
> specifically address the algorithm on the timestamp signature.

Interesting test. As far as I know, the SHA-1 signature is completely
ignored on Windows 10, etc. if the files are dual code-signed. I think
that's why there are no warnings here because the SHA-2 signature is valid.

Friedrich

BTW, here is the link to my test file (SHA-1 signed and timestamped on
January 05, 2016):

http://www.lindersoft.com/projects/sha-1old.exe

It triggers the warnings on Win 10.

Friedrich

kzendra,

> What is the point then of commercial certificates? If it's working like
> that, I can generate my own cert and use it...

No, you can't. Because there is no chain from a trusted root. Using your
own certificate will definitely cause a support nightmare (and you can't
earn reputation for it). You need a certificate from a trusted CA.

> I'we seen the topics about that in last year, but I was buried into work
> and did not have the time to read everything :-)

You only have to build a reputation for your new certificate (impossible
with a self-signed certificate).

Similar to this:

http://www.lindersoft.com/forums/showthread.php?46865-Need-Help-SetupBuilder-10-certificate-reputation-(screenshots-attached)

Friedrich

> No, you can't. Because there is no chain from a trusted root. Using your
> own certificate will definitely cause a support nightmare (and you can't
> earn reputation for it). You need a certificate from a trusted CA.
>

Need to earn the trust clashes with term "trusted CA" :-)
If I need to earn reputation, that means I'm not trustworthy :-D

>
> You only have to build a reputation for your new certificate (impossible
> with a self-signed certificate).
>
> Similar to this:
>
> http://www.lindersoft.com/forums/showthread.php?46865-Need-Help-SetupBuilder-10-certificate-reputation-(screenshots-attached)
>
> Friedrich

Well, everything is signed with GoDaddy SHA256, I have 513 cusstomers which
have downloaded new version of my program package and 1500 more which have
downloaded other 3 packages. That makes it 2000 downloads and I still get
the warnings...

Does OS version change anything there? Lot's of cusstomers have XP...

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

> Need to earn the trust clashes with term "trusted CA" :-)
> If I need to earn reputation, that means I'm not trustworthy :-D

Remember, all this is a big money-making machine. Please don't take it
personal <g>

> Well, everything is signed with GoDaddy SHA256, I have 513 cusstomers
> which have downloaded new version of my program package and 1500 more
> which have downloaded other 3 packages. That makes it 2000 downloads
> and I still get the warnings...
>
> Does OS version change anything there? Lot's of cusstomers have XP...

Yes. Customers need an operating system that supports "SmartScreen".
SmartScreen Application Reputation technology was introduced in IE9. If an
application is NOT signed, the reputation is build per file. If an
application is code signed with a standard code signing certificates, the
reputation is build on the signer, allowing multiple downloads with the same
certificate.

Most anti-virus and anti-spyware systems make use of the SmartScreen data
pool.

BTW, let us assume you have 1000 downloads from XP users then your
reputation level is ZERO <g>.

Friedrich

> Remember, all this is a big money-making machine. Please don't take it
> personal <g>
>

Noooo, not personal, it's about money :-)
Cusstomers keep calling and waisting my time :-)

>
> Yes. Customers need an operating system that supports "SmartScreen".
> SmartScreen Application Reputation technology was introduced in IE9. If an
> application is NOT signed, the reputation is build per file. If an
> application is code signed with a standard code signing certificates, the
> reputation is build on the signer, allowing multiple downloads with the same
> certificate.
>
> Most anti-virus and anti-spyware systems make use of the SmartScreen data
> pool.
>
> BTW, let us assume you have 1000 downloads from XP users then your
> reputation level is ZERO <g>.
>
> Friedrich

Well, out of those 2000
1000 is mostly linux (java based app), backoffice is usualy windows, but
OK. Hmmm, those are not signed
Out of my 500, huh there were lot's of XP (there were lot's of problems
with need to install SP3 and .Net4 for SHA256 signing used in program)
Another issue with that, lot's of downloading is done directly via program
update service (nettalk) and not browser. That does not count?


What about running the program at cusstomer PC, when users clicks he wants
to run the program?

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

Hi kzendra,

> Noooo, not personal, it's about money :-)
> Cusstomers keep calling and waisting my time :-)

:-)

> Well, out of those 2000
> 1000 is mostly linux (java based app), backoffice is usualy windows, but
> OK. Hmmm, those are not signed
> Out of my 500, huh there were lot's of XP (there were lot's of problems
> with need to install SP3 and .Net4 for SHA256 signing used in program)
> Another issue with that, lot's of downloading is done directly via program
> update service (nettalk) and not browser. That does not count?

No, this does not count because SmartScreen is not involved in this case.

> What about running the program at cusstomer PC, when users clicks he wants
> to run the program?

Running the program makes use of the SmartScreen data, but does not help to
"build" a reputation.

That's why we love the computer business, right? <g>

Friedrich

Damn, so all effort I have made to make cusstomers life easyer, made my
life harder? :-)

OK, next week, I'll place exe that says thank you to everyone that
downloads it and place it here :-)

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

Hi Friedrich,

> Here we go. Windows 10 installed a security patch this morning. I have
> downloaded my test executable, code-signed with my old SHA-1 certificate on
> January 05, 2016.

What happens if it's dual code signed? Does it pick up the SHA-2 or
does it bail because it has SHA-1 also?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

>> Here we go. Windows 10 installed a security patch this morning. I have
>> downloaded my test executable, code-signed with my old SHA-1 certificate
>> on January 05, 2016.
>
> What happens if it's dual code signed? Does it pick up the SHA-2 or does
> it bail because it has SHA-1 also?

On Windows 10 (and other operating systems that fully support SHA-2) it will
simply "skip" the SHA-1 signature part.

Friedrich

Hi Friedrich,

> Files signed with a new code signing certificate need to build
> reputation, you'll have to earn "trust". Reputation is generated and

Which has to be "earned" every time you get a new certificate, right?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

>> Files signed with a new code signing certificate need to build
>> reputation, you'll have to earn "trust". Reputation is generated
>> and
>
> Which has to be "earned" every time you get a new certificate, right?

Yes, that is correct. But there is a potential solution available <g>.
Microsoft introduced EV Code Signing. Extended Validation (EV) Code Signing
is a new money making machine (sorry, I mean code signing method) that is
supported by Windows 8+ and Internet Explorer V9+ and allows to establish
reputation more quickly. Cool, eh? No, not at all <g>. The bad news is
that EV code signing certificates are only issued by the two certificate
authorities: Symantec and DigiCert. Of course, an EV code signing
certificate costs a "little" bit more than a traditional certificate.
Symantec charges only US$995.00 for a 1 year EV code signing certificate,
US$1,790.00 for 2 years and US$2,585.00 for 3 years. And it comes with a
special hardware device (dongle, usb, etc.).

Of course, SetupBuilder supports EV Code Signing (it was a hell of a job to
add it).

Friedrich

Hi Kzendra,

> Noooo, not personal, it's about money :-)

And a LOT of it!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

:-)

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

>> Need to earn the trust clashes with term "trusted CA" :-)
>> If I need to earn reputation, that means I'm not trustworthy :-D
>
> Remember, all this is a big money-making machine. Please don't take it
> personal <g>
call it protection racket ! especially if there's no 'real' gain for my
customers..

Thomas Glomb

Friedrich,

> Symantec charges only US$995.00 for a 1 year EV code signing certificate,
> US$1,790.00 for 2 years and US$2,585.00 for 3 years. And it comes with a
> special hardware device (dongle, usb, etc.).

I'll stay with the lower cost and minimal reputation.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Hi Friedrich,

> US$1,790.00 for 2 years and US$2,585.00 for 3 years. And it comes with a
> special hardware device (dongle, usb, etc.).
>
> Of course, SetupBuilder supports EV Code Signing (it was a hell of a job to
> add it).

Yeah, there had to be something like that coming;) I wonder how many
billions of dollars are spent on this nonsense every year for what I'd
say has been (maybe it's changing) very little (if any) actual value for
consumers and developers.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

With prices like that, I would stay unsigned :-)

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.