Dual vs. SHA2 code signing

[NewsArchive]

Hi Friedrich,

My client is using a dual code signing certificate and he noticed that
recently he is getting the "unknown publisher" warning in Windows 10.

So we did a test using my Build Automator install. I have one install
with dual code signing and one with my latest certificate which is SHA2
only.

The results: http://www.screencast.com/t/a57gF4yaqJB

The dual code signed one was fine, but the SHA2 only is showing the
"dangerous app" warning! This is on Windows 10 Home 64bit with all the
latest updates (checked as of yesterday afternoon)

I have smartscreen turned ON on my machine, but for the dual code signed
install it does not show up and I get the same UAC screen as for the
dual code signed.

Where is all this going??? Can we expect to get all installs
intercepted by SmartScreen every time a new build goes out or what can
we do?

Does my client need a SHA2 only certificate to code sign his installs?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

[NewsArchive]

Does the same thing happen if you extract the setup from a zip file
instead of downloading directly?

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

[NewsArchive]

Hi Jeff,

> Does the same thing happen if you extract the setup from a zip file
> instead of downloading directly?

Good question and I don't have the answer. Realized that I was running
this from my hard drive while my client downloaded. Will zip up the
SHA2 one and ask him to re-test it.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

[NewsArchive]

Hi Arnor,

> My client is using a dual code signing certificate and he noticed that
> recently he is getting the "unknown publisher" warning in Windows 10.
>
> So we did a test using my Build Automator install. I have one install
> with dual code signing and one with my latest certificate which is SHA2
> only.

It's very well possible that this is a "reputation" thing. Did you
code-sign the "dual" signed and the "SHA-2 only" signed app with the *SAME*
(your latest) certificate? You said "...and one with my latest
certificate...", that's why I am asking.

Friedrich

[NewsArchive]

Hi Friedrich,

> It's very well possible that this is a "reputation" thing. Did you
> code-sign the "dual" signed and the "SHA-2 only" signed app with the *SAME*
> (your latest) certificate? You said "...and one with my latest
> certificate...", that's why I am asking.

Sorry, wasn't clear. No, the dual signed was from February with
certificate from 2015. The SHA2 is with a month old certificate.

When *I* run those installs from my local drive they both behave the same.

But my client's software even when (apparently) successfully code
signed, is showing "Unknown developer" when he runs his install. I've
instructed him to check the properties of the installer exe, but have
not heard back.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

[NewsArchive]

Hi Arnor,

> But my client's software even when (apparently) successfully code signed,
> is showing "Unknown developer" when he runs his install.
> I've instructed him to check the properties of the installer exe,
> but have not heard back.

Aha, okay! In this case it is a root certificate issue (he did not check
for updates for some time) or the root certificate update failed.

Friedrich

[NewsArchive]

Hi Friedrich,

> My client is using a dual code signing certificate and he noticed that
> recently he is getting the "unknown publisher" warning in Windows 10.

This get's more bizarre!

My client checked the properties on his install. Both SHA1 and SHA256
signatures are present. When he goes into the Details it says "Digital
Signature Information" and below "This digital signature is not valid."
If he goes to view the certificate it says "The digital signature of the
object did not verify" The issuer and valid from/to dates are all there
and all correct.

On my installs I get "This digital signature is OK" on both SHA1 and
SHA256 signatures.

What is going on?

Note: This started happening for him about two months ago. Prior to
that there was no problem. Neither the certificate nor the SB script
has changed. The certificate is valid from January 2016 until January
2019. Code signing was done on December 2nd, 2016.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

[NewsArchive]

Arnor,

I wonder if his root certificates are messed up or if someone has
tampered with the file after it was signed.

If it were me I'd get a zip of his copy of the file and do a byte
level compare against YOUR copy.

But Friedrich will probably have something better to suggest!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

[NewsArchive]

Lee,

>
> But Friedrich will probably have something better to suggest!<g>
>

IMO, it's a typical root certificate "NOT-up-to-date" issue. I ran into
this myself some weeks ago. I had a virtual machine active for two weeks
and web update service was disabled (I needed a specific Windows system
state). Suddenly, it began to display the "Unknown Publisher" warning on
quite a few code-signed .EXE files. I enabled the web update service and 10
minutes later it worked fine again.

Arnor said: "Note: This started happening for him about two months ago.
Prior to that there was no problem." Similar or same scenario <g>

Friedrich

[NewsArchive]

Hi Lee,

> I wonder if his root certificates are messed up or if someone has
> tampered with the file after it was signed.

My bet would be the root certificate. He builds the installs and he was
checking a new install.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC