Results 1 to 3 of 3

Thread: SB10 Tips & Tricks #4: Dual code-signing in SetupBuilder 10 Build 5074 and later

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Default SB10 Tips & Tricks #4: Dual code-signing in SetupBuilder 10 Build 5074 and later

    -- SB10 Tips & Tricks #4: Dual code-signing in SetupBuilder 10 Build 5074
    and later

    Background: Organizations need to develop a migration plan for SHA-1 code
    signing certificates that expire after January 1, 2016. To support older
    Windows operating systems (e.g. Windows XP, Vista, early Windows 7 versions)
    and modern Windows systems (Windows 8.x and later) after 1 January 2016, you
    have to dual SHA-1/SHA-2 code-sign all your application files and setups
    using Microsoft Authenticode compatible time stamp and RFC 3161 compliant
    trusted time stamp servers (SHA-2 based code-signing certificate is

    SHA-2 (SHA-256) was created by the National Institute of Standards and
    Technology (NIST) to replace SHA-1 after mathematical weaknesses were
    discovered in the algorithm. For the past few years, network security
    experts have warned that certificates using the SHA-1 hashing algorithm will
    soon be in danger of being hacked due to consistent advancements in
    computing technology.

    -- How to handle code-signing in SetupBuilder 10 Build 5074 and later?

    There is a new "Code-Signing" tab in the SetupBuilder 10 IDE Options (see
    attached screenshots). It lets you specify your PFX file, the PFX password,
    the SHA-1 and SHA-2 timestamp servers.

    You can use the new "Global SHA-1 only", "Global SHA-2 only" and "Global
    SHA-1 & SHA-2 dual" options to make your life easier. The compiler will
    automatically use the code-signing configuration from the "global" IDE

    For example: you have an old project with "#code-sign application..."
    directives and you would like to switch from SHA-1 to dual SHA-1/SHA-2
    signing. You simply select the "Global SHA-1 & SHA-2 dual" IDE option and
    compile. That's it. No need to change anything in your project. The
    global code-signing configuration always "wins" over the local project

    Or you would like to use dual SHA-1/SHA-2 signing for all your new projects.
    If the "Global SHA-1 & SHA-2 dual" IDE option is selected then the project
    will automatically use the "global" code-sign configuration for dual

    But if you still need the flexibility to handle code-signing on a
    per-project basis via #pragma CODESIGN_SHA, select the (default) "Use local
    code-signing configuration from project" option and the global configuration
    feature is disabled.


    To use a SHA-2 based code-signing certificate for dual SHA-1/SHA-2 signing
    you need:

    1. SetupBuilder 10.

    2. Windows 8.x or Windows 10.

    3. SignTool.exe version 6.2.9200.16384 or later.

    You can use the 'Help' > 'Get Microsoft SignTool' menu bar option to
    download and install SignTool 10.0.10240.16384 directly from the Microsoft

    4. Microsoft Capicom installed and registered.

    You can use the following tool to install Capicom:

    Happy code-signing!

    Friedrich Linder
    Lindersoft | SetupBuilder |
    954.252.3910 (within US) | +1.954.252.3910 (outside US)

    --SetupBuilder "point. click. ship"
    --Helping You Build Better Installations
    --Create Windows 10 ready installations in minutes
    --Official COMODO Code Signing and SSL Certificate Partner
    Attached Images Attached Images      

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts