NewsArchive
04-08-2016, 02:53 AM
-- SB10 Tips & Tricks #4: Dual code-signing in SetupBuilder 10 Build 5074
and later
Background: Organizations need to develop a migration plan for SHA-1 code
signing certificates that expire after January 1, 2016. To support older
Windows operating systems (e.g. Windows XP, Vista, early Windows 7 versions)
and modern Windows systems (Windows 8.x and later) after 1 January 2016, you
have to dual SHA-1/SHA-2 code-sign all your application files and setups
using Microsoft Authenticode compatible time stamp and RFC 3161 compliant
trusted time stamp servers (SHA-2 based code-signing certificate is
required).
SHA-2 (SHA-256) was created by the National Institute of Standards and
Technology (NIST) to replace SHA-1 after mathematical weaknesses were
discovered in the algorithm. For the past few years, network security
experts have warned that certificates using the SHA-1 hashing algorithm will
soon be in danger of being hacked due to consistent advancements in
computing technology.
-- How to handle code-signing in SetupBuilder 10 Build 5074 and later?
There is a new "Code-Signing" tab in the SetupBuilder 10 IDE Options (see
attached screenshots). It lets you specify your PFX file, the PFX password,
the SHA-1 and SHA-2 timestamp servers.
You can use the new "Global SHA-1 only", "Global SHA-2 only" and "Global
SHA-1 & SHA-2 dual" options to make your life easier. The compiler will
automatically use the code-signing configuration from the "global" IDE
option.
For example: you have an old project with "#code-sign application..."
directives and you would like to switch from SHA-1 to dual SHA-1/SHA-2
signing. You simply select the "Global SHA-1 & SHA-2 dual" IDE option and
compile. That's it. No need to change anything in your project. The
global code-signing configuration always "wins" over the local project
configuration.
Or you would like to use dual SHA-1/SHA-2 signing for all your new projects.
If the "Global SHA-1 & SHA-2 dual" IDE option is selected then the project
will automatically use the "global" code-sign configuration for dual
code-signing.
But if you still need the flexibility to handle code-signing on a
per-project basis via #pragma CODESIGN_SHA, select the (default) "Use local
code-signing configuration from project" option and the global configuration
feature is disabled.
See:
http://www.lindersoft.com/forums/showthread.php?46908
To use a SHA-2 based code-signing certificate for dual SHA-1/SHA-2 signing
you need:
1. SetupBuilder 10.
2. Windows 8.x or Windows 10.
3. SignTool.exe version 6.2.9200.16384 or later.
You can use the 'Help' > 'Get Microsoft SignTool' menu bar option to
download and install SignTool 10.0.10240.16384 directly from the Microsoft
server.
4. Microsoft Capicom installed and registered.
You can use the following tool to install Capicom:
http://www.lindersoft.com/forums/showthread.php?29427-Problem-compiling&p=53010#post53010
Happy code-signing!
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)
--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
and later
Background: Organizations need to develop a migration plan for SHA-1 code
signing certificates that expire after January 1, 2016. To support older
Windows operating systems (e.g. Windows XP, Vista, early Windows 7 versions)
and modern Windows systems (Windows 8.x and later) after 1 January 2016, you
have to dual SHA-1/SHA-2 code-sign all your application files and setups
using Microsoft Authenticode compatible time stamp and RFC 3161 compliant
trusted time stamp servers (SHA-2 based code-signing certificate is
required).
SHA-2 (SHA-256) was created by the National Institute of Standards and
Technology (NIST) to replace SHA-1 after mathematical weaknesses were
discovered in the algorithm. For the past few years, network security
experts have warned that certificates using the SHA-1 hashing algorithm will
soon be in danger of being hacked due to consistent advancements in
computing technology.
-- How to handle code-signing in SetupBuilder 10 Build 5074 and later?
There is a new "Code-Signing" tab in the SetupBuilder 10 IDE Options (see
attached screenshots). It lets you specify your PFX file, the PFX password,
the SHA-1 and SHA-2 timestamp servers.
You can use the new "Global SHA-1 only", "Global SHA-2 only" and "Global
SHA-1 & SHA-2 dual" options to make your life easier. The compiler will
automatically use the code-signing configuration from the "global" IDE
option.
For example: you have an old project with "#code-sign application..."
directives and you would like to switch from SHA-1 to dual SHA-1/SHA-2
signing. You simply select the "Global SHA-1 & SHA-2 dual" IDE option and
compile. That's it. No need to change anything in your project. The
global code-signing configuration always "wins" over the local project
configuration.
Or you would like to use dual SHA-1/SHA-2 signing for all your new projects.
If the "Global SHA-1 & SHA-2 dual" IDE option is selected then the project
will automatically use the "global" code-sign configuration for dual
code-signing.
But if you still need the flexibility to handle code-signing on a
per-project basis via #pragma CODESIGN_SHA, select the (default) "Use local
code-signing configuration from project" option and the global configuration
feature is disabled.
See:
http://www.lindersoft.com/forums/showthread.php?46908
To use a SHA-2 based code-signing certificate for dual SHA-1/SHA-2 signing
you need:
1. SetupBuilder 10.
2. Windows 8.x or Windows 10.
3. SignTool.exe version 6.2.9200.16384 or later.
You can use the 'Help' > 'Get Microsoft SignTool' menu bar option to
download and install SignTool 10.0.10240.16384 directly from the Microsoft
server.
4. Microsoft Capicom installed and registered.
You can use the following tool to install Capicom:
http://www.lindersoft.com/forums/showthread.php?29427-Problem-compiling&p=53010#post53010
Happy code-signing!
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)
--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner