Results 1 to 10 of 16

Thread: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Default SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

    -- SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

    It has been some time since we've had the "Tips & Tricks" column. Many
    people have asked me for tips on how to do this and that, so I figured I
    would share some with you here. The first in this new series of tips and
    tricks explains how you can handle dual SHA-1/SHA-2 (SHA-256) code-signing
    with SetupBuilder.

    Background: Organizations need to develop a migration plan for SHA-1 code
    signing certificates that expire after January 1, 2016. To support older
    Windows operating systems (e.g. Windows XP, Vista, early Windows 7 versions)
    and modern Windows systems (Windows 8.x and later) after 1 January 2016, you
    have to dual SHA-1/SHA-2 code-sign all your application files and setups
    using Microsoft Authenticode compatible time stamp and RFC 3161 compliant
    trusted time stamp servers (SHA-2 compatible code-signing certificate is
    required).

    SHA-2 (SHA-256) was created by the National Institute of Standards and
    Technology (NIST) to replace SHA-1 after mathematical weaknesses were
    discovered in the algorithm. For the past few years, network security
    experts have warned that certificates using the SHA-1 hashing algorithm will
    soon be in danger of being hacked due to consistent advancements in
    computing technology.

    -- How to handle dual code-signing with SetupBuilder 10?

    1. Set the "TimeStamp URL" to a SHA-2 compliant timestamp server.

    For example: http://timestamp.globalsign.com/?signature=sha2

    2. In the Script Editor, set the Secure Hash Algorithm to "dual".

    #pragma CODESIGN_SHA = "12"

    3. In the Script Editor, set the timestamp server for the SHA-1 signature to
    a Microsoft Authenticode compatible timestamp server.

    #pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

    Note: You need Microsoft SignTool.exe version 6.2.9200.16384 or later to
    support dual SHA-1/SHA-2 code-signing.

    --
    Friedrich Linder
    Lindersoft | SetupBuilder | www.lindersoft.com
    954.252.3910 (within US) | +1.954.252.3910 (outside US)

    --SetupBuilder "point. click. ship"
    --Helping You Build Better Installations
    --Create Windows 10 ready installations in minutes
    --Official COMODO Code Signing and SSL Certificate Partner
    Attached Images Attached Images      

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •