New certificate - not sure if it's working correctly.

**NewsArchive** · 09-09-2015, 02:37 AM

Hi Friedrich,

I just got a new Comodo certificate and extracted the .pfx file, set SB
to use signtool.exe and changed my #code-sign accordingly. No errors
(once I picked the right time server) but what I get when I do the code
signing is:

Adding Digital Certificate (Preprocessor)...
SIGNTOOL: C:\Products\BuildAutomator\Latest\Program Files\Icetips
Creative\Build Automator\BuildAutomator.exe
SHA1: 0
Code signed successfully: C:\Products\BuildAutomator\Latest\Program
Files\Icetips Creative\Build Automator\BuildAutomator.exe

I'm concerned about this SHA1: 0. I don't know what it means. The
certificate I ordered was SHA2, so I hope that's what I got - Signature
algorithm is sha256RSA and the signature hash algorithm is sha256 in the
"View" certificate in IE 11.

So - is everything correct here?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 09-09-2015, 02:39 AM

Hi Friedrich

On 9/8/2015 4:16 PM, Arnor Baldvinsson wrote:
> I'm concerned about this SHA1: 0. I don't know what it means. The
> certificate I ordered was SHA2, so I hope that's what I got - Signature
> algorithm is sha256RSA and the signature hash algorithm is sha256 in the
> "View" certificate in IE 11.
>
> So - is everything correct here?

When I run Signtool verify, I get this:

SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.

Number of errors: 1

Same on all the binaries I just signed - and everything else I tried...
Hmm...

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 09-09-2015, 02:39 AM

Hi Arnor,

> When I run Signtool verify, I get this:
>
> SignTool Error: A certificate chain processed, but terminated in a root
> certificate which is not trusted by the trust provider.
>
> Number of errors: 1
>
> Same on all the binaries I just signed - and everything else I tried...
> Hmm...

If you run the "signtool.exe verify myfile.exe" command, signtool will use
the Windows Driver Verification Policy. In order for your file to "verify"
properly you need to include the /pa switch, so that SignTool uses the
Default Authentication Verification Policy.

Friedrich

**NewsArchive** · 09-09-2015, 02:40 AM

Hi Arnor,

"SHA1: 0 Code signed successfully" means that you have code-signed via SHA-1
(you did not instruct the compiler to code-sign via SHA-2) and the
Authenticode process did not report any error.

Friedrich

**NewsArchive** · 09-09-2015, 12:25 PM

Hi Friedrich,

On 9/8/2015 11:30 PM, Friedrich Linder wrote:
> "SHA1: 0 Code signed successfully" means that you have code-signed via SHA-1
> (you did not instruct the compiler to code-sign via SHA-2) and the

How do you do that? I couldn't find any setting for specifying it...
See http://screencast.com/t/RuLT2sL8Ps

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 09-09-2015, 12:25 PM

Hi Arnor,

> How do you do that? I couldn't find any setting for specifying it...

You need the latest signtool.exe from Microsoft (at least 6.2.9200.16384)
and then use #pragma in your script and set CODESIGN_SHA to 2 for SHA-2
code-signing (please see #pragma help).

Does this help?

Friedrich

**NewsArchive** · 09-09-2015, 12:26 PM

Hi Friedrich,

> If you run the "signtool.exe verify myfile.exe" command, signtool will
> use the Windows Driver Verification Policy. In order for your file to
> "verify" properly you need to include the /pa switch, so that SignTool
> uses the Default Authentication Verification Policy. Friedrich

Got it! Works

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 09-09-2015, 12:27 PM

Hi Friedrich,

> You need the latest signtool.exe from Microsoft (at least
> 6.2.9200.16384) and then use #pragma in your script and set
> CODESIGN_SHA to 2 for SHA-2 code-signing (please see #pragma help).
> Does this help? Friedrich

OK, mine is 6.1.x so I'll grab the latest one and give it another go

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 09-09-2015, 12:28 PM

Hi Friedrich,

> You need the latest signtool.exe from Microsoft (at least
> 6.2.9200.16384) and then use #pragma in your script and set
> CODESIGN_SHA to 2 for SHA-2 code-signing (please see #pragma help).
> Does this help? Friedrich

Got the latest (6.3.x), set the pragma, changed the time server (I used
verisign yesterday and it worked, but not today

, compiled and got
SHA2: 0 - codesigning successful on all files

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 09-09-2015, 12:28 PM

Hi Arnor,
where from you got this one? From some newer SDK or you have some useful link?
I didn't find any good
Many thanks
Darko

Thread: New certificate - not sure if it's working correctly.

Thread Tools

Display

New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Re: New certificate - not sure if it's working correctly.

Thread Information

Users Browsing this Thread

Posting Permissions