Dual vs. SHA2 code signing
Hi Friedrich,
My client is using a dual code signing certificate and he noticed that
recently he is getting the "unknown publisher" warning in Windows 10.
So we did a test using my Build Automator install. I have one install
with dual code signing and one with my latest certificate which is SHA2
only.
The results: http://www.screencast.com/t/a57gF4yaqJB
The dual code signed one was fine, but the SHA2 only is showing the
"dangerous app" warning! This is on Windows 10 Home 64bit with all the
latest updates (checked as of yesterday afternoon)
I have smartscreen turned ON on my machine, but for the dual code signed
install it does not show up and I get the same UAC screen as for the
dual code signed.
Where is all this going??? Can we expect to get all installs
intercepted by SmartScreen every time a new build goes out or what can
we do?
Does my client need a SHA2 only certificate to code sign his installs?
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: Dual vs. SHA2 code signing
Does the same thing happen if you extract the setup from a zip file
instead of downloading directly?
Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.
Grammar troll's, are the worse.
Re: Dual vs. SHA2 code signing
Hi Arnor,
> My client is using a dual code signing certificate and he noticed that
> recently he is getting the "unknown publisher" warning in Windows 10.
>
> So we did a test using my Build Automator install. I have one install
> with dual code signing and one with my latest certificate which is SHA2
> only.
It's very well possible that this is a "reputation" thing. Did you
code-sign the "dual" signed and the "SHA-2 only" signed app with the *SAME*
(your latest) certificate? You said "...and one with my latest
certificate...", that's why I am asking.
Friedrich
Re: Dual vs. SHA2 code signing
Hi Jeff,
> Does the same thing happen if you extract the setup from a zip file
> instead of downloading directly?
Good question and I don't have the answer. Realized that I was running
this from my hard drive while my client downloaded. Will zip up the
SHA2 one and ask him to re-test it.
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: Dual vs. SHA2 code signing
Hi Friedrich,
> It's very well possible that this is a "reputation" thing. Did you
> code-sign the "dual" signed and the "SHA-2 only" signed app with the *SAME*
> (your latest) certificate? You said "...and one with my latest
> certificate...", that's why I am asking.
Sorry, wasn't clear. No, the dual signed was from February with
certificate from 2015. The SHA2 is with a month old certificate.
When *I* run those installs from my local drive they both behave the same.
But my client's software even when (apparently) successfully code
signed, is showing "Unknown developer" when he runs his install. I've
instructed him to check the properties of the installer exe, but have
not heard back.
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: Dual vs. SHA2 code signing
Hi Arnor,
> But my client's software even when (apparently) successfully code signed,
> is showing "Unknown developer" when he runs his install.
> I've instructed him to check the properties of the installer exe,
> but have not heard back.
Aha, okay! In this case it is a root certificate issue (he did not check
for updates for some time) or the root certificate update failed.
Friedrich
Re: Dual vs. SHA2 code signing
Hi Friedrich,
> My client is using a dual code signing certificate and he noticed that
> recently he is getting the "unknown publisher" warning in Windows 10.
This get's more bizarre!
My client checked the properties on his install. Both SHA1 and SHA256
signatures are present. When he goes into the Details it says "Digital
Signature Information" and below "This digital signature is not valid."
If he goes to view the certificate it says "The digital signature of the
object did not verify" The issuer and valid from/to dates are all there
and all correct.
On my installs I get "This digital signature is OK" on both SHA1 and
SHA256 signatures.
What is going on?
Note: This started happening for him about two months ago. Prior to
that there was no problem. Neither the certificate nor the SB script
has changed. The certificate is valid from January 2016 until January
2019. Code signing was done on December 2nd, 2016.
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: Dual vs. SHA2 code signing
Arnor,
I wonder if his root certificates are messed up or if someone has
tampered with the file after it was signed.
If it were me I'd get a zip of his copy of the file and do a byte
level compare against YOUR copy.
But Friedrich will probably have something better to suggest!<g>
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"
Re: Dual vs. SHA2 code signing
Lee,
>
> But Friedrich will probably have something better to suggest!<g>
>
IMO, it's a typical root certificate "NOT-up-to-date" issue. I ran into
this myself some weeks ago. I had a virtual machine active for two weeks
and web update service was disabled (I needed a specific Windows system
state). Suddenly, it began to display the "Unknown Publisher" warning on
quite a few code-signed .EXE files. I enabled the web update service and 10
minutes later it worked fine again.
Arnor said: "Note: This started happening for him about two months ago.
Prior to that there was no problem." Similar or same scenario <g>
Friedrich
Re: Dual vs. SHA2 code signing
Hi Arnor,
> What is going on?
I think I know what is going on.
From time to time, Windows requests a trusted root certificate update (it
needs this to detect revoked certificates, etc.). I think your customer did
not check for updates for a long time (or something went wrong during his
last root certificate update). In other words, this machine is not
up-to-date via Windows Update, especially the Root Certificates part.
This has absolutely nothing to do with the signed .EXE or the certificate.
To solve this issue, he needs the Root Certificate updates. It's standard
Windows behavior for 13+ years now. If the root certificates are not
up-to-date, Windows might display "Unknown Publisher" (to protect the user).
If the machine is not up-to-date, it is impossible to detect code signed
with a revoked certificate.
http://www.lindersoft.com/forums/sho...1178#post71178
Does this help?
BTW, as far as I know, Root Certificate Updates are *not* optional on
Windows 10.
Friedrich