PDA

View Full Version : SB SHA-2 on Windows 2008 R2 Server


NewsArchive
01-14-2016, 07:15 AM
I am helping a company setup for code signing with their new
certificate using the latest SB. Their certificate was just issued and
appears to be dual code signed.

The install scripts being used are ones that have been used for a long
time but with an older SHA-1 certificate. I have updated the scripts
by adding:

#pragma CODESIGN_SHA = "12"
#pragma CODESIGN_TSSHA1URL =
"http://timestamp.comodoca.com/authenticode"

Also have changed the Time Stamp URL both in the General tab and each
individual call to code signing an exe to
http://timestamp.globalsign.com/?signature=sha2

However when it is run on a Windows 2008 R2 Server (via RDS), the
SHA-1 code sign works fine but then it fails on the SHA-2 with code
"1".

To test the scripts, I installed the trail version of SB onto my
Toshiba laptop which is running Windows 10. Then copied the files
including the SignTool.exe (6.2.9200.16384) to the laptop. Running it
on the laptop everything signs fine.

So the is something about the Win 2008 environment but what. Any
suggestions on what I can look for?


Barton Whisler
(retired<g>)
NewsArchive
01-14-2016, 07:16 AM
Barton,

> So the is something about the Win 2008 environment but what. Any
> suggestions on what I can look for?

You need Windows 8.0 or later to handle "dual" code-signing. Even Windows
8.0 does not work rock solid. I would suggest to use Windows 8.1 or Windows
10.

Friedrich
NewsArchive
01-14-2016, 07:16 AM
So that is why it would not work<bg>. Shall I assume that code signing
just SHA-2 only will also not work (at least did not seemt to work for
me)?

Barton
NewsArchive
01-14-2016, 09:23 AM
Hi Barton,

> So that is why it would not work<bg>. Shall I assume that code signing
> just SHA-2 only will also not work (at least did not seemt to work for
> me)?

You need a very specific patch level on Windows 7 and Server 2008 R2:

https://technet.microsoft.com/en-us/library/security/3033929.aspx

But no guarantee that it really works <g>. We switched the code-signing
environment to Windows 10.

Friedrich
NewsArchive
01-15-2016, 02:25 AM
Thanks for the link. The computer appears to already have that update
installed but did not work earlier, so will go back and try again. If
not, I have an alternate plan for them,

Thanks for your help!

Barton