SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

**NewsArchive** · 10-05-2015, 08:17 AM

-- SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

It has been some time since we've had the "Tips & Tricks" column. Many
people have asked me for tips on how to do this and that, so I figured I
would share some with you here. The first in this new series of tips and
tricks explains how you can handle dual SHA-1/SHA-2 (SHA-256) code-signing
with SetupBuilder.

Background: Organizations need to develop a migration plan for SHA-1 code
signing certificates that expire after January 1, 2016. To support older
Windows operating systems (e.g. Windows XP, Vista, early Windows 7 versions)
and modern Windows systems (Windows 8.x and later) after 1 January 2016, you
have to dual SHA-1/SHA-2 code-sign all your application files and setups
using Microsoft Authenticode compatible time stamp and RFC 3161 compliant
trusted time stamp servers (SHA-2 compatible code-signing certificate is
required).

SHA-2 (SHA-256) was created by the National Institute of Standards and
Technology (NIST) to replace SHA-1 after mathematical weaknesses were
discovered in the algorithm. For the past few years, network security
experts have warned that certificates using the SHA-1 hashing algorithm will
soon be in danger of being hacked due to consistent advancements in
computing technology.

-- How to handle dual code-signing with SetupBuilder 10?

1. Set the "TimeStamp URL" to a SHA-2 compliant timestamp server.

For example: http://timestamp.globalsign.com/?signature=sha2

2. In the Script Editor, set the Secure Hash Algorithm to "dual".

#pragma CODESIGN_SHA = "12"

3. In the Script Editor, set the timestamp server for the SHA-1 signature to
a Microsoft Authenticode compatible timestamp server.

#pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

Note: You need Microsoft SignTool.exe version 6.2.9200.16384 or later to
support dual SHA-1/SHA-2 code-signing.

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

**NewsArchive** · 10-05-2015, 12:33 PM

Saved!

Thanks!

--

Russ Eggen
RADFusion International, LLC

**NewsArchive** · 10-05-2015, 12:33 PM

Very nice!
Thank you!

Best regards,
Jeffrey

**NewsArchive** · 10-06-2015, 02:43 AM

Hi Friedrich,

> It has been some time since we've had the "Tips & Tricks" column. Many

Would you mind if I put this up in the Icetips Articles? This is
invaluable information!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 10-06-2015, 02:46 AM

Hi Arnor,

>> It has been some time since we've had the "Tips & Tricks" column.
>
> Would you mind if I put this up in the Icetips Articles? This is
> invaluable information!

Absolutely no problem! Please feel free to put this up in the Icetips
Articles!

Friedrich

**NewsArchive** · 10-06-2015, 11:00 AM

Hi Friedrich,

> Absolutely no problem! Please feel free to put this up in the Icetips
> Articles! Friedrich

Thank you!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 10-07-2015, 02:15 AM

Hi Friedrich,

> Absolutely no problem! Please feel free to put this up in the Icetips
> Articles! Friedrich

http://www.icetips.com/articles.php?articlecategory=29
http://www.icetips.com/showarticle.php?articleid=1566
http://www.icetips.com/showarticle.php?articleid=1567

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

**NewsArchive** · 10-07-2015, 02:16 AM

> #pragma CODESIGN_TSSHA1URL ="http://timestamp.comodoca.com/authenticode"

This line is used for the dual coding of the setup.exe?

I started with:

#pragma CODESIGN_SHA = "12" without the #pragma CODESIGN_TSSHA1URL
="http://timestamp.comodoca.com/authenticode"

And all my dll's and EXE's are dual code-signet after having changed to
a proper timeserver.

Best regards

Edvard Korsbæk

**NewsArchive** · 10-07-2015, 02:16 AM

Hi Edvard,

>
> This line is used for the dual coding of the setup.exe?
>

It's used for both the "setup.exe" and "#code-sign application..." compiler
directive.

Friedrich

**NewsArchive** · 11-10-2015, 03:24 AM

Edvard,

Just tried CodeSigning using the#pragma CODESIGN_TSSHA1URL
="http://timestamp.comodoca.com/authenticode" line and CodeSigning failed.

Used your method and CodeSigning worked and Dual-signed.

Thanks for your suggestion, though I would like to know why the other
method does not work.

Bob

Thread: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Thread Tools

Display

SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Re: SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

Thread Information

Users Browsing this Thread

Posting Permissions