I installed my new sha-2 certificate, but when I look at my file properties,
I still see sha-1
What else must I do to sign sha-2?

Dan

Dan Scott,

> I installed my new sha-2 certificate, but when I look at my file properties,
> I still see sha-1
> What else must I do to sign sha-2?

You may need a newer version of signtool. I installed the Windows 8.1
SDK in my Win7/64 VM, it works fine for dual signatures; SHA-1/SHA-2.

I used the link Arnor posted on the 4th.

https://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

Subject: Re: How to use SignTool
From: Arnor Baldvinsson Date: 4 Jan 2016 18:43:01 -0500


Use the x86 version of signtool and also use these in your script...

> #pragma CODESIGN_SHA = "12"
> #pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"


--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Look at this whole thread, including Barton's settings and pragmas

Xref: discuss.softvelocity.com
softvelocity.clarion.addons.setupbuilder:33054
From: Barton Whisler
Newsgroups: softvelocity.clarion.addons.setupbuilder
Subject: SB SHA-2 on Windows 2008 R2 Server
Date: 14 Jan 2016 05:10:00 -0500

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Thanks Guys, I will give it all a go

Dan Scott

Dan,

> I installed my new sha-2 certificate, but when I look at my file
> properties, I still see sha-1
> What else must I do to sign sha-2?

If you have to support both "new" and "old" Windows operating systems, I
would suggest to do "dual" code-signing:

http://www.lindersoft.com/forums/showthread.php?46908-SB10-Tips-amp-Tricks-1-Dual-SHA-1-SHA-2-code-signing

Friedrich

Hi Dan,

> I installed my new sha-2 certificate, but when I look at my file
> properties, I still see sha-1
> What else must I do to sign sha-2?

Make sure you set the pragmas. See
http://www.icetips.com/showarticle.php?articleid=1566&productID=0

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor -

You might want to include this tidbit about the OS of the signing
machine, as posted by Friedrich on Jan 14:

<Friedrich>

You need Windows 8.0 or later to handle "dual" code-signing. Even
Windows
8.0 does not work rock solid. I would suggest to use Windows 8.1 or
Windows
10.

</Friedrich>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> You might want to include this tidbit about the OS of the signing
> machine, as posted by Friedrich on Jan 14:

Just as long as it's mentioned that you can still use Win7 as long as
you use a newer SDK. I installed Win 8.1 SDK on my Win7/64 and it
works without any problems at all.


I'll keep using Win7 until they pry it from my cold, dead hands!<g>




Ok, maybe not THAT long!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

> Make sure you set the pragmas. See
> http://www.icetips.com/showarticle.php?articleid=1566&productID=0

Great link, thanks !!!

Friedrich

Hi Lee,

> Just as long as it's mentioned that you can still use Win7 as long as
> you use a newer SDK. I installed Win 8.1 SDK on my Win7/64 and it
> works without any problems at all.

I'm also using Win7, but according to F. Win7 will NOT work with code
signing if you use an update that was posted this summer/fall. So I'm
not updating mine until I'm comfortable with W10. I'm not yet.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> I'm also using Win7, but according to F. Win7 will NOT work with code
> signing if you use an update that was posted this summer/fall.

Last update I did was 8/13/2015. Wonder which update causes problems?

> until I'm comfortable with W10. I'm not yet.

Neither am I!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Hi Jeff,

> You might want to include this tidbit about the OS of the signing
> machine, as posted by Friedrich on Jan 14:
Done

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Lee,

> Last update I did was 8/13/2015. Wonder which update causes problems?

Friedrich posted it on one of the threads here, but I can't find it ATM.

Found it:

From: "Friedrich Linder"
Newsgroups: softvelocity.clarion.addons.setupbuilder
Subject: Re: Betr:Re: Using the new SHA-2 certificates on an old XP development machine - possible?
Date: 17 Dec 2015 03:17:00 -0500

"
Yes, it worked fine here on Windows 7 SP1, but stopped working end of
September (I tried the Win 8.1 and Win 10 SDK). Just checked it: from
September 2015 - today we have received exactly 167 technical support
requests for dual code-signing on Windows 7. Microsoft told me that it is
not safe to use Windows 7 for dual code-signing."

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> Microsoft told me that it is not safe to use Windows 7 for dual code-signing."

Of course not, they NEED everyone to upgrade!!!<g>


MS is really getting fed up with Win7 still hogging the user base and
that's no joke. Of course there's a reason for it, Win7 is a rock
solid OS that hasn't left corporate business wanting or needing to
retrain its users.

I've got 8, 8.1, 8.1 update 1 and several 10 VM's but I'm still using
Win7 as my host and the desktop I prefer for development. More than
likely it will continue that way for a few more years or until I
upgrade to a CPU that no longer supports it...

<http://arstechnica.com/information-technology/2016/01/skylake-users-given-18-months-to-upgrade-to-windows-10/>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Thanks Friedrich,

Does it matter that the Clarion dlls are still only SHA1 ?

Liam

Liam,

> Thanks Friedrich,
>
> Does it matter that the Clarion dlls are still only SHA1 ?

IMO, not a problem at the moment (but this might change later this year for
DLLs signed after 1 January 2016). Windows stopped accepting SHA-1 signed
code and SHA-1 certificates that are time stamped after 1 January 2016 and
have a "Mark of the Web" attribute. A "Mark of the Web" attribute means
that the executable is flagged as downloaded from an untrusted source (e.g.
the Internet). 99.99999999+% of the deployed Clarion DLLs do not have a
"Mark of the Web" attribute set. And the current DLLs are signed before 1
January 2016. So we should be safe...

Friedrich