Hi all,

SHA-2 code signing seems to fail now everywhere! I'm getting Gen1053 on
all of them. Back in December those scripts compiled and code signed
without issues. It appears that the newest signtool.exe I have is from
8.1. I'm downloading the 10 SDK right now. Is that going to fix it or
is there something else going on?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> SHA-2 code signing seems to fail now everywhere!

I just tried a couple of my installs and they alls worked as expected.
SVER: 6.3.9600.17298

But then I'm running in a Win7/64 environment which may influence the
behavior.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

> and they alls worked as expected.

Alls? Really, ALLS?!<g>

How 'bout "and they all worked as expected."?

Lee White

He left out the "f" https://www.youtube.com/watch?v=MYP1OBZfFK0#t=1m1s

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Hi Lee,

>> SHA-2 code signing seems to fail now everywhere!
>
> I just tried a couple of my installs and they alls worked as expected.
> SVER: 6.3.9600.17298
>
> But then I'm running in a Win7/64 environment which may influence the
> behavior.

I just downloaded the latest 10 SDK and set the Signtool to there and it
still fails:

https://www.screencast.com/t/8dzbQ5ZE

Same on my other development VM. They were both fine back in December
when I compiled the last installs... Weird!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

> SHA-2 code signing seems to fail now everywhere! I'm getting Gen1053 on
> all of them. Back in December those scripts compiled and code signed
> without issues. It appears that the newest signtool.exe I have is from
> 8.1. I'm downloading the 10 SDK right now. Is that going to fix it or is
> there something else going on?

Are you using only SHA-2 signing in these scripts?

If this is the case, then (IMO) it's caused by an initialization bug in the
compiler. Under very specific conditions, when doing SHA-2 code-signing,
it's very well possible that the compiler does not "reset" (to 0) the
variable which holds the code-signing error code.

I have fixed this potential bug on January 18, 2017 (but it's not available
as an update yet).

I'll send a new sb10.exe to your private e-mail address. Could you please
rename your original sb10.exe to, say, sb10old.exe and copy the new one into
your SetupBuilder folder. Then re-compile. Does this change anything?

Friedrich

Hi Friedrich,

> Are you using only SHA-2 signing in these scripts?

For this, yes.

> If this is the case, then (IMO) it's caused by an initialization bug in the
> compiler. Under very specific conditions, when doing SHA-2 code-signing,
> it's very well possible that the compiler does not "reset" (to 0) the
> variable which holds the code-signing error code.
....
> your SetupBuilder folder. Then re-compile. Does this change anything?

No it did not. Still get the error.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

> No it did not. Still get the error.

FYI, I'm NOT adding anything to the script, just set in global and then
in the project properties. Do I need to add anything to the script,
like #pragma CODESIGN_SHA="2" or something like that?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

> like #pragma CODESIGN_SHA="2" or something like that?

Tried that, no difference.

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> > like #pragma CODESIGN_SHA="2" or something like that?

I have an include that has these two #pragmas...

CODESIGN_SHA = "12"
CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

Unsure if that means anything.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Hi Lee,

>>> like #pragma CODESIGN_SHA="2" or something like that?
>
> I have an include that has these two #pragmas...
>
> CODESIGN_SHA = "12"
> CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

I *think* that is only needed for dual code signing.

At any rate, scripts with that, also do not compile.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> I *think* that is only needed for dual code signing.

Probably because I dual sign everything.<g>

> At any rate, scripts with that, also do not compile.

Your computer needs an attitude adjustment!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Hi Arnor,

okay, if it worked fine in December and the new SB10.EXE (which I sent) did
not change anything, then you are not affected by this potential bug.
Perhaps your ISP or router (update) blocks access to the timestamp server?
Or the timestamp server is down? Try another one to check this.

You only need this:

http://www.lindersoft.com/forums/showthread.php?47199

Set "Global SHA Code-signing Type" to "Global SHA-2 only".

Friedrich

Hi Friedrich,

> Or the timestamp server is down? Try another one to check this.

I downloaded the capicom_v2102.exe from your server and ran it. Still
errors.

But I found something interesting. I had placed the unsigned install on
one of my servers and even though I can download it from all my machines
and all browsers my client got a server error on it! Using the exact
same URL! Moved the file to another server at a different hosting
company and it was fine. So maybe there is something else going on...

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

> okay, if it worked fine in December and the new SB10.EXE (which I sent) did
> not change anything, then you are not affected by this potential bug.
> Perhaps your ISP or router (update) blocks access to the timestamp server?
> Or the timestamp server is down? Try another one to check this.

I tried every single one of them - they all fail!

If I enter:

http://timestamp.globalsign.com/?signature=sha2

as a URL in my browser it pulls it up. See:
https://www.screencast.com/t/oDVckHsD - so it doesn't seem to be
blocked... There haven't been any changes on the network and one of the
VM hasn't been run since the last time I compiled on it in December.

Tried this on another machine, not a VM, same thing:

Processing Uninstall Code-Signing...
Adding Digital Certificate to Uninstall...
Resolve CSI...
SIGNTOOL
SVER: 10.0.14393.795
SHA2: 1
Compiler error GEN1053: Code signing process failed. Error Code: 1

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Did you try running procmon while this happens?

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Hi Jeff,

> Did you try running procmon while this happens?

No, what should I be looking for?

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

Some sort of clue or something.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Arnor,

> I tried every single one of them - they all fail!

are you sure you are using your *new* code-signing certificate? Not the one
that expired on 9/2/2016?

Friedrich

Hi Friedrich,

> are you sure you are using your *new* code-signing certificate? Not the one
> that expired on 9/2/2016?

Yes, but I realized the problem! I had exported the certificate with
the wrong password and somehow got them mixed up in the folders! I keep
each one in /year/ folder and then one that I rename to
CurrentCertificate.pfx in the root of that folder. I was using the one
from the /year/ folder instead of the current one - the one in the
/year/ was the one with the wrong password!!! I'm too old for this!

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

<g>. Glad it's working fine again.

Friedrich