Okay, more and more support SHA-1 requests are rolling in :-(

If you are affected by the SHA-1 deprecation:
http://www.lindersoft.com/forums/showthread.php?46846
http://www.lindersoft.com/forums/showthread.php?46908

First warnings (May 2014):
http://www.lindersoft.com/forums/showthread.php?43220
http://www.lindersoft.com/forums/showthread.php?43214

-- What do you need to handle "dual" SHA-1/SHA-2 code-signing?

1. SetupBuilder 10.

2. Windows 8.1 or Windows 10 (it is not recommended to use Windows 8).

3. SignTool.exe version 6.2.9200.16384 or later.

4. SHA-2 based code-signing certificate. Note: If you requested a Comodo
code-signing certificate after 22nd September 2014 (which expires after
2015) then you already have a SHA-2 certificate.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Why didn't ANYONE see this coming ????? !!!!! <g>

Jane Fleming

Hi Friedrich,

Do you know if reputation is getting reset for the certificate signed with
sha256?
I have a client that is getting the ugly warning on download of their
installer. Either dual-code signed or just signed with sha256.
Older installers signed before Jan 1, don't have a reputation issue.

I believe windows thinks it is OK because if you download with firefox and
run there are no warnings at all.

Any thoughts on if this is reputation related would be appreciated.

Thanks,
Rick

> I believe windows thinks it is OK because if you download with firefox and
> run there are no warnings at all.
>

This turns out not to be true. Windows still warns you that the file is
dangerous if you download it with firefox.

Rick

Rick,

> This turns out not to be true. Windows still warns you that the file is
> dangerous if you download it with firefox.

As far as I know, Firefox does not use SmartScreen technology from
Microsoft. Windows itself ,yes. Because both systems complain, it's very
well possible that this client does not have an up-to-date revoking list.
If other user (with Firefox) do not see this warning on the same file, then
it's his specific machine. If other users get the same warning then it's
1.) a reputation level issue -or- 2.) a currupt upload/download (assuming
that the file is correctly code-signed).

Friedrich

>
> Why didn't ANYONE see this coming ????? !!!!! <g>
>

<g> ;-)

Friedrich

Still 80+ support requests per day. Quite a few developers did not replace
their old SHA-1 based certificate with a SHA-2 version :-( You can't use a
SHA-1 certificate to create a SHA-2 or dual SHA-1/SHA-2 signature. You need
a SHA-2 based certificate!

If you would like to support modern Windows operating systems and legacy
Windows operating systems (XP, Vista, Windows 7, Server 200x) then use the
SHA-1/SHA-2(SHA256) signing method (and separate SHA-1/SHA-2 timestamping).
SetupBuilder 10 can handle it for you! SetupBuilder 8.5 does not support
it!

Friedrich

Well I was supporting those OS'...... ;-(

So is my "old" certificate that I bought for multi-year now worthless?

I don't see where to but the SHA2 certificate anywhere in these posts....

Paul MacFarlane

I don't mean to be "snarky" here but......

Today is the 1st day I am aware of this.
I don't study the newsgroups lately and rarely visit the setupbuilder
forums - only when I have a problem.

I've been a SB customer since sfx or whatever the 1st product was.
I bought my certificate through you.....

For the life of me I can't find in any of the emails I receive from you
any discussion of this.
No emails saying "IMPORTANT", "YOUR Certificate will stop working".....
Sure there are new version annoucements

Now I'm in the middle of my busy season and I have a few (not many yet)
customers getting the invalid notice.
and my 3 year certificate I bought 10/2013 is basically worthless too......

So if I understand this mess I need to:
Install SBv10 - done
Get the latest SignTool (I've spent 4 hours trying to get the SDK to
install - keeps failing then the Microsoft site when dark)
(downloading yet a different ISO - hopefull that'll work)
Get a NEW SHA2 certificate
rebuild my installs

I'll lose 2 days over this...... and it will NOT make the world a better
place or make my software better.

Paul MacFarlane

Paul,

> I don't mean to be "snarky" here but......
>
> Today is the 1st day I am aware of this.

Are you serious? ;-) Microsoft published warnings again and again, for more
than three years !!! SHA-1 Deprecation was one of the top stories in Q4
2015 for software developers.

There are tons of Microsoft Security Advisories in TechNet. For example:
https://technet.microsoft.com/en-us/library/security/2880823.aspx

There is even a Microsoft SHA-1 Deprecation Policy (published a few years
ago, updated on a regularly basis).
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Then there are literally millions of blog threads and articles in magazines.

For example:
https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html
http://www.scmagazine.com/microsoft-plans-upgrade-to-sha-2-crypto-hash-for-issuing-certs/article/321009/

> I don't study the newsgroups lately and rarely visit the setupbuilder
> forums - only when I have a problem.

This has *absolutely* nothing to do with SetupBuilder or newsgroups. The
SHA-1 deprecation is a permanent change for Windows developers! Clarion,
Visual Studio, Delphi, WinDev, C/C++, Pascal, etc. And then the SHA-1
deprecation in web browsers, Internet Explorer, Chrome, Firefox, etc.

> I've been a SB customer since sfx or whatever the 1st product was.
> I bought my certificate through you.....

I think you bought it directly from Comodo and your SetupBuilder license
entitled you for a $300 discount (3yr for $200 instead of $500).

> For the life of me I can't find in any of the emails I receive from you
> any discussion of this.
> No emails saying "IMPORTANT", "YOUR Certificate will stop working".....
> Sure there are new version annoucements

We do not even know that you own a code-signing certificate. You purchased
it from Comodo. Comodo would never ever share any customer information with
any 3rd-party. We pay additional fees for your order on an anonymous basis.

By the way, we are developers of an installation system for Windows.
Neither Microsoft nor Comodo or SoftVelocity sent us an email saying
"IMPORTANT", "YOUR Certificate will stop working". I have invested hundreds
of hours to learn how to support SHA-2 and "dual" SHA-1/SHA-2 and to make
the new technology a built-in feature in SetupBuilder 10. Then countless of
hours to SHARE my knowledge in our forums so our customers don't have to
reinvent the wheel.

There are more than 300! SHA-2 related messages in our forums. First
"warnings" from May 2014.

http://www.lindersoft.com/forums/showthread.php?43220
http://www.lindersoft.com/forums/showthread.php?43214

> Now I'm in the middle of my busy season and I have a few (not many yet)
> customers getting the invalid notice.
> and my 3 year certificate I bought 10/2013 is basically worthless
> too......

Question: who is to blame for this?

> So if I understand this mess I need to:
> Install SBv10 - done

Yes, SetupBuilder 10 introduced support for SHA-1/SHA-2. All of our own
files are dual code-signed in SB10. The compiler supports SHA-1, SHA-2 and
SHA-1/SHA-2 signing.

> Get the latest SignTool (I've spent 4 hours trying to get the SDK to
> install - keeps failing then the Microsoft site when dark)
> (downloading yet a different ISO - hopefull that'll work)

I would suggest to use SignTool from the SDK 8.1 or 10.0. And please note
that you need Windows 8.1 (or better Windows 10) for rock solid SHA-1/SHA-2
code-signing.

> Get a NEW SHA2 certificate

Yes, you can re-issue your current certificate with SHA-2. So the three
year certificate you bought 10/2013 is not really worthless. But of course,
you have to re-build your reputation and trust level (and again in 10/2016
when your current certificate expires).

>
> rebuild my installs
>

Not only your installs! Don't forget to recompile *all* your DLLs and EXEs
and after that "dual" code-sign them! But before doing this, add a Windows
10 manifest ("asInvoker") to all your EXE files that run non-elevated by
default.

> I'll lose 2 days over this...... and it will NOT make the world a better
> place or make my software better.

I am sure you'll lose more than two days. Only the recompile and re-test of
our system files took more than 10 days.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Anyone know where to get Signtool?

I've tried the web install of the Windows SDK..... and the ISO version....
http://blogs.msdn.com/b/windowssdk/archive/2009/08/07/released-windows-sdk-for-windows-7-and-net-framework-3-5-sp1.aspx
https://www.microsoft.com/en-us/download/details.aspx?id=18950

Keep getting a failed install....

Paul MacFarlane

Paul,

> Anyone know where to get Signtool?

You'll need a newer version. I installed the Windows 8.1 SDK on my
Win7/64 VM and it works fine for dual signatures; SHA-1/SHA-2.

I used the link Arnor posted on the 4th.

https://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

Subject: Re: How to use SignTool
From: Arnor Baldvinsson
Date: 4 Jan 2016 18:43:01 -0500

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices

http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

If you have Visual Studio installed, it is an optional install of that package - too.

Liam

So that kit worked. Which version of signtool do we use? x64 or x86 (I
suspect x86)

Paul MacFarlane

Paul,

> So that kit worked. Which version of signtool do we use? x64 or x86 (I
> suspect x86)

Yep, x86

And use these in your script...

> #pragma CODESIGN_SHA = "12"
> #pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Seem to have it working now. Got both SHA1 and SHA256 certificates in
my setup and EXE's.....

What's confusing here is I was under the impression I needed a new
certificate - so I ordered one (still waiting for it).....
but the signing worked with the old one... so I spent $200 now instead
of next year....

Just adding to the confusion....

Paul MacFarlane

> Seem to have it working now. Got both SHA1 and SHA256 certificates in
> my setup and EXE's.....
>
> What's confusing here is I was under the impression I needed a new
> certificate - so I ordered one (still waiting for it).....
> but the signing worked with the old one... so I spent $200 now instead
> of next year....
>
> Just adding to the confusion....

It has to look like this (see attached screenshots)

SHA-1 signature with SHA-1 timestamp

-and-

SHA-2 (256) signature with SHA-2 (256) timestamp

If you get this then you already requested a SHA-2 certificate in the past.

Friedrich

Yeah - looks like I've got to wait for the new cert.....

It appears to sign and shows 2 certificates, but when you go to the
details of SHA256 is says SHA1RSA

I bought a 3 year cert in 10/2013 so it's not SHA2.

I've ordered another - waiting for Comodo now......

Paul MacFarlane

Friedrich,

Yes, I serious. I don't read blogs - no time.

The evidence is in your 1st post in this thread.....
"Okay, more and more support SHA-1 requests are rolling in "

Clearly many of your customers are out of touch....

Maybe its a top issue for the developers doing distribution and
security, but those roles for me are "because I have to".....
Kind of like documentation!

Paul

Paul,

>
> Yes, I serious. I don't read blogs - no time.
>

Hmmmm....

> The evidence is in your 1st post in this thread.....
> "Okay, more and more support SHA-1 requests are rolling in "
>
> Clearly many of your customers are out of touch....

No, this is only a small percentage of our overall number of customers. But
it takes time and resources to answer the NON-SetupBuilder related support
questions!

> Maybe its a top issue for the developers doing distribution and security,
> but those roles for me are "because I have to".....
> Kind of like documentation!

Sorry, but it has nothing to do with software distribution per-se. It's
about software development and following the Microsoft Windows development
guidelines!

I'd say I spend about 20% of my time learning new things and keep up-to-date
with new technologies and changes in Windows (reading MSDN, Technet, Blogs,
articles, magazines, etc.). I don't have time either! But I shared my
SHA-2 knowledge for FREE here and on our forum. IMO, it's not fair to ask
"Where are my emails saying "IMPORTANT", "YOUR Certificate will stop
working"... It has a demoralizing effect and it takes the fun out of what
we do.

I don't know what kind of development tools our customers are using, what
kind of Windows operating system, and whether they are using a code-signing
certificate (or type of certificate).

SHA-1 Deprecation was a Microsoft decision. And they did not send me an
email to let me know that January 12, 2016 was SHA-1 "switch-off" day.
There is not any forum on the Internet that provides more information with
regard to SHA-1 Deprecation and SHA-2 signing than the SetupBuilder one.

And I said again and again (not my job!): "Develop a migration plan soon."

http://www.lindersoft.com/forums/showthread.php?46869-Re-compile-and-re-code-sign-files-SHA-1-switch-off-day

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Hi Friedrich,

> Sorry, but it has nothing to do with software distribution per-se. It's
> about software development and following the Microsoft Windows development
> guidelines!

In my experience most developers seem to work hard to do their best to
ignore those guidelines<g> Even MS hasn't been all too good about
following their own standards and guidelines.

> SHA-2 knowledge for FREE here and on our forum. IMO, it's not fair to ask
> "Where are my emails saying "IMPORTANT", "YOUR Certificate will stop
> working"... It has a demoralizing effect and it takes the fun out of what
> we do.

Sometimes you do stick in technical tidbits into your emails, but I
agree it's not a fair request and it's not your job. However, my
friend, you have spoiled us all - we expect you and SB to take care of
all this nonsense automatically and without us having to do anything.
That's what we are used to;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC