-
7 Attachment(s)
Comodo Certificate Order [August 25, 2015]
All,
Requested a new three year Comodo code-signing certificate because our "old"
one (still valid until September 2016) did not support SHA-2. A new
certificate always means you have to build a new "reputation" for it. I
don't want to lose reputation again after one year so I decided to order a
fresh 3-year one.
Here is what I did:
1. Made sure that the WHOIS database for lindersoft.com was up-to-date and
turned OFF domain registrar's privacy service.
2. Ordered the certificate on August 24, 2015 at 4:53 PM from a Windows 7
SP1 (x64) machine using Internet Explorer.
3. Sent required documents immediately to Comodo.
4. Received callback status email from the COMODO Validation Team at 11:24
PM.
Not too bad. That was quick -- only 6 hours. I am good until August 2018
now (1096 days). Yeah!
To start the telephone callback process, I did this:
1. Opened a LiveChat on Comodo's support website. Chat partner "Martin"
started the telephone callback procedure.
2. Received another "Callback" email. In order to review our phone number
and initiate the callback I had to click a link. Then press a button to
get a phone call (DON'T close the window!!).
3. Received the phone call (computer voice) and the "lady" gave me a PIN.
4. I had to enter that PIN in the previous window.
5. 30 seconds later I received a "Your Code Signing Certificate is ready!"
email and collected my new certificate.
6. Exported the certificate to .pfx format.
7. Turned ON domain registrar's privacy service.
All system files for SetupBuilder 10 will be dual SHA-1/SHA-2 code-signed to
be ready for January 1, 2016.
Note: Microsoft will cease trusting Code Signing Certificates using SHA-1 on
January 1, 2016. Organizations need to develop a migration plan for any
SHA-1 code signing certificates that expire after January 1, 2016.
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)
--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
-
3 Attachment(s)
Re: Comodo Certificate Order [August 25, 2015]
LiveChat window, "Your Code Signing Certificate is ready!" email and
certificate collection.
Friedrich
-
Re: Comodo Certificate Order [August 25, 2015]
What happened with posibility to get new version with SHA-2 for existing certificates?
Darko
-
Re: Comodo Certificate Order [August 25, 2015]
Darko,
> What happened with posibility to get new version with SHA-2
> for existing certificates?
You will be able to get a free replacement SHA-2 certificate from Comodo if
your current one support SHA-1 only (e.g. code-signing certificates issued
after 22nd September 2014 which expires after 2015).
Friedrich
-
3 Attachment(s)
Re: Comodo Certificate Order [August 25, 2015]
By the way, you can still use the new SHA-2 based certificates to code-sign
with SHA-1. Absolutely no problem. But Microsoft will cease trusting Code
Signing Certificates using SHA-1 on January 1, 2016.
You can use SetupBuilder 10 to code-sign your files and installations with
SHA-1, SHA-2 or dual SHA-1/SHA-2.
Friedrich
-
Re: Comodo Certificate Order [August 25, 2015]
Thanks Friedrich for detailed explanation, but your math still worries me, as
my 3 year comodo expires at 25.02.2017,
and you said "free replacement for code-signing certificates issued after 22nd
September 2014". Mine is issued at 25.02.2014 so it's before 22.09.2014,
Or I misunderstood what you said?.
Many thanks
Darko
-
Re: Comodo Certificate Order [August 25, 2015]
Hi Darko,
Sorry, should read "...issued BEFORE 22nd September 2014 which expires after
2015...".
On September 22, 2014 Comodo started the new "SHA-2 only" program.
Friedrich
-
Re: Comodo Certificate Order [August 25, 2015]
Ah, now make sense
Thanks Friedrich
Darko
-
Re: Comodo Certificate Order [August 25, 2015]
Friedrich,
Did they ask you for a phone number in the chat, or go by some number they
looked up somewhere?
Jane
-
Re: Comodo Certificate Order [August 25, 2015]
Hi Jane,
> Did they ask you for a phone number in the chat, or go by some number they
> looked up somewhere?
They have used the number from the WHOIS record (and they perform callback
only to the number listing in online directories).
For example:
http://www.numberway.com/,
http://world.192.com/
First, I sent an email to their support. But after two hours of waiting for
a callback, I decided to open a LiveChat session. Two minutes later I had
my certificate ready-to-sign <g>
From the transcript of the chat:
---
Martin: Just a moment please , let me check the order status
Martin: shall we make a call now ?
Hi, this is Friedrich Linder: Yes, please :-)
Martin: Sure :)
Martin: Done
---
Friedrich
-
Re: Comodo Certificate Order [August 25, 2015]
Thanks, Friedrich,
WHOIS is good.
The last time for me, I think they got my number from Dun & Bradstreet. I
didn't even know that D&B had a listing for me. Since then, I've canceled
the phone number they used last time. And I don't want to have to open a
D&B account in order to update that incorrect phone number in order to renew
my certificate next time.
Fortunately, "next time" isn't for 18 months.
But time goes faster as I get older !!!!
Jane
-
Re: Comodo Certificate Order [August 25, 2015]
Hi Friedrich,
> Not too bad. That was quick -- only 6 hours. I am good until August 2018
> now (1096 days). Yeah!
I'm hoping for a quick turn around also when I order after the weekend.
I'd somehow got my reminder in in September and was rather displeased
to discover yesterday that the certificate expired last Friday!<g> Have
Jane's docs ready at hand:)
Best regards,
--
Arnor Baldvinsson - Icetips Alta LLC
-
Re: Comodo Certificate Order [August 25, 2015]
Hi Jane,
> canceled the phone number they used last time. And I don't want to
> have to open a D&B account in order to update that incorrect phone
> number in order to renew my certificate next time.
I can't even see the phone number listed for me without signing up with
D&B. And they have the address wrong (changed in 2010;)
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
-
Re: Comodo Certificate Order [August 25, 2015]
Arnor,
> I can't even see the phone number listed for me without signing up with
> D&B. And they have the address wrong (changed in 2010;)
They tend not to update information unless you pay them. I dissolved
the corporation in 2006 but they still have DeveloperPLUS listed as a
corporation. Duh!<g>
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"
The life of a Clarion Developer: https://youtu.be/ozitqabi6UM
-
Re: Comodo Certificate Order [August 25, 2015]
Maybe they'll send you an anniversary card next year<g>
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
Grammar troll's, are the worse.
-
Re: Comodo Certificate Order [August 25, 2015]
Jeff,
> Maybe they'll send you an anniversary card next year<g>
I should probably expect it!<g> AMEX gets mailing lists from D&B and
they are constantly sending offers to the corporation that isn't!<g>
Can't sit in front of this thing long. Just got back from having my
eyes dilated and dyed for several tests - can't focus at all which is
why I went - they made it worse and charged me $260. Shoulda stayed
home!!!!
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"
The life of a Clarion Developer: https://youtu.be/ozitqabi6UM
-
Re: Comodo Certificate Order [August 25, 2015]
If you have to get something dilated, the eyes are a good first
choice.<g>
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
Grammar troll's, are the worse.
-
Re: Comodo Certificate Order [August 25, 2015]
Jeff,
> If you have to get something dilated, the eyes are a good first
> choice.<g>
True but I would have preferred the method I used in my 20's!<g>
Lee White
-
Re: Comodo Certificate Order [August 25, 2015]
alrighty, then.
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
Grammar troll's, are the worse.
-
Re: Comodo Certificate Order [August 25, 2015]
Jeff,
> alrighty, then.
But I never inhaled, honest... wait, I'm not a politician, am I?!<g>
Lee White
-
Re: Comodo Certificate Order [August 25, 2015]
Wasn't that supposed to be good for glaucoma anyway???
Jane Fleming
-
Re: Comodo Certificate Order [August 25, 2015]
Jane,
> Wasn't that supposed to be good for glaucoma anyway???
It's good for a lot of things, or so Sanjay says.<g>
I don't have glaucoma but I do have the early stages of cataracts...
that's close enough, right?!<g> (no worries - purely age related)
Lee White
-
Re: Comodo Certificate Order [August 25, 2015]
Lee,
Cataracts are a lot less of an issue than back when you were a pup. I've
watched a lot of IOL surgeries. Patients are amazed at how well they can
see the very next day.
OTOH... if you prefer herbal therapy ;-)
jf
-
Re: Comodo Certificate Order [August 25, 2015]
So after my earlier post, I delayed doing productive work for a half hour
this morning whilst spelunking through crannies of the D&B website.
Wish I could point to the specific link... but I was heartened by one of
their dropdowns promising the ability to edit information without paying
them.
So I did create a free account, and that let me zap the invalid phone
number. Unfortunately, it wouldn't let me just leave the phone blank.
Of course... it might be fun to set the phone number on D&B to Comodo's
number <G>
Cheers, all,
Jane
-
Re: Comodo Certificate Order [August 25, 2015]
Jane,
> OTOH... if you prefer herbal therapy ;-)
Getting back to nature!<g>
Lee White
-
Re: Comodo Certificate Order [August 25, 2015]
> But Microsoft will cease trusting Code
> Signing Certificates using SHA-1 on January 1, 2016.
Does that mean that all previously distributed EXE etc become invalid??????
Don't make me nervous, man!
Regards,
Wolfgang Orth
www.odata.de
-
Re: Comodo Certificate Order [August 25, 2015]
Hi Wolfgang,
> Does that mean that all previously distributed EXE etc become
> invalid??????
>
> Don't make me nervous, man!
Windows will stop accepting SHA-1 code-signed files that are time stamped
AFTER 1 January 2016. SHA-1 code-signed files time stamped by an RFC 3161
Time Stamp Authority BEFORE 1 January 2016 will be accepted until such time
when Microsoft decides SHA-1 is vulnerable to pre-image attack.
Friedrich
-
Re: Comodo Certificate Order [August 25, 2015]
> Don't make me nervous, man!
By the way, I think my answer was not quite clear. Yes, all previously
code-signed EXE/DLL/etc. files become invalid if they were code signed using
the "standard" Microsoft Authenticode compatible time stamp. To support
older Windows operating systems and new UAC-aware Windows after 1 January
2016, you have to dual SHA-1/SHA-2 code-sign using Microsoft Authenticode
compatible time stamp and RFC 3161 compliant trusted time stamp servers
(SHA-2 compatible code-signing certificate is required).
Of course, the upcoming SetupBuilder 10 can handle this for you (dual
SHA-1/SHA-2 code-sign your application files and the setup.exe).
Friedrich
-
Re: Comodo Certificate Order [August 25, 2015]
Friedrich,
> Yes, all previously
> code-signed EXE/DLL/etc. files become invalid if they were code signed using
> the "standard" Microsoft Authenticode compatible time stamp.
So everything that's already been signed is suddenly invalid and has
to be redone??? Seriously?!
So old signed installs and install contents have to be re-signed and
uploaded... that's a lot of stuff to contend with, a LOT of stuff!
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"
The life of a Clarion Developer: https://youtu.be/ozitqabi6UM
-
Re: Comodo Certificate Order [August 25, 2015]
Lee,
> So everything that's already been signed is suddenly invalid and has
> to be redone??? Seriously?!
Yes, that's the plan if the files are not time stamped by an RFC 3161 Time
Stamp Authority before 1 January 2016 <bg>
> So old signed installs and install contents have to be re-signed and
> uploaded... that's a lot of stuff to contend with, a LOT of stuff!
Ohhh yes. I am busy re-compiling all my original application files, all the
core redistributables, etc. Tons of stuff, terabytes of data.
Friedrich
-
Re: Comodo Certificate Order [August 25, 2015]
BTW, I am working on our migration plan for the old SHA-1 code signing
certificate for more than three months now (including research and
development). More work than the Year 2000 "problem" <g>. And this will
DEFINITELY result in a support nightmare for quite a few developers on
January 2, 2016.
Friedrich
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)
--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
-
Re: Comodo Certificate Order [August 25, 2015]
Friedrich,
> Yes, that's the plan if the files are not time stamped by an RFC 3161 Time
> Stamp Authority before 1 January 2016 <bg>
Not sure exactly what that means but all my existing 3rd party product
installers will remain as is... don't have the time or inclination to
redo them all and they're already signed and time stamped.
If that's a problem then Clarion Developers will just have to trust
the old installs... c'est la vie.
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"
The life of a Clarion Developer: https://youtu.be/ozitqabi6UM
-
Re: Comodo Certificate Order [August 25, 2015]
la vie!
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
Grammar troll's, are the worse.
-
Re: Comodo Certificate Order [August 25, 2015]
> If that's a problem then Clarion Developers will just have to trust
> the old installs... c'est la vie.
Unless Windows decides to not allow them to install at all...
Time will tell I guess<g>.
:-)
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
-
Re: Comodo Certificate Order [August 25, 2015]
Charles,
> Unless Windows decides to not allow them to install at all...
Considering Windows still allows unsigned installs to run I doubt
seriously they would utterly prevent it. I'm fairly certain there
would be a rather loud voice heard in Redmond if they did.
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"
The life of a Clarion Developer: https://youtu.be/ozitqabi6UM
-
Re: Comodo Certificate Order [August 25, 2015]
I hope that your voice of sanity will prevail.
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
Grammar troll's, are the worse.
-
Re: Comodo Certificate Order [August 25, 2015]
Jeff,
> I hope that your voice of sanity will prevail.
After I retire, if that ever happens, I won't care!<g>
Reached early retirement age, and reverse mortgage age, earlier this
month but neither are going to happen just yet.
Lee White
-
Re: Comodo Certificate Order [August 25, 2015]
> Considering Windows still allows unsigned installs to run I doubt
> seriously they would utterly prevent it. I'm fairly certain there
> would be a rather loud voice heard in Redmond if they did.
Allowing the installer to run and allowing it to place files are two
different things<g>.
Of course now that SV no longer defaults to installing Clarion under
Program Files, for the moment it is less of an issue.
But I have seen installers that were code signed (but not manifested for
the target OS for example) that ended up with an "empty" install under the
Program Files folder. Nothing in there but the install.log and the
SetupBuilder generated uninstall.exe.
So I'd guess that anything is possible where MS is concerned<g>.
Then again, even if they heard you all the way out in Redmond, do you think
they'll pay any attention to you<g>?
:-)
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
-
Re: Comodo Certificate Order [August 25, 2015]
Charles,
> Then again, even if they heard you all the way out in Redmond, do you think
> they'll pay any attention to you<g>?
Support email redirect!!!
Lee White
-
Re: Comodo Certificate Order [August 25, 2015]
Lee,
>> Yes, that's the plan if the files are not time stamped by an RFC 3161
>> Time
>> Stamp Authority before 1 January 2016 <bg>
>
> Not sure exactly what that means but all my existing 3rd party product
> installers will remain as is... don't have the time or inclination to
> redo them all and they're already signed and time stamped.
>
> If that's a problem then Clarion Developers will just have to trust
> the old installs... c'est la vie.
By default, timestamping is done using Microsoft Authenticode compatible
time stamp and not the RFC 3161 compliant trusted time stamp servers. You
need a specific SignTool version and at least Windows 7 SP1 to support RFC
3161. In SetupBuilder 8.5, you can use the following #pragma to support RFC
3161:
#pragma CODESIGN_TSTYPE = "1"
If you are not using RFC 3161 then all your files are Microsoft Authenticode
compatible time stamped and are suddenly invalid on January 02, 2016.
I have to redo all files because quite a few companies have the "User
Account Control: Only elevate executables that are signed and validated"
security policy enabled. This blocks elevation if the code-signature is
invalid.
Friedrich