SHA-2 code-signing on old Windows 7 SP1 machines

**NewsArchive** · 08-06-2017, 04:11 AM

All,

if you still have to support SHA-2 code-signing on older Windows 7 machines,
the following might help.

To handle SHA-2 code-signing (including SHA-2 time-stamping) on Windows 7
SP1 you need:

1. SetupBuilder 10.

2. Windows 7 SP1.

3. SignTool.exe version 6.1.7000.0.

4. Microsoft Capicom installed and registered.

You can use the following tool to install Capicom:
http://www.lindersoft.com/forums/sho...3010#post53010

Note 1: you can't use SIGNTOOL.EXE Version 6.1.7000 to handle dual
SHA-1/SHA-2 code-signing. Only SHA-2 signing works.

Note 2: it all depends on the Windows OS patch level. Some more information
here:
http://www.lindersoft.com/forums/sho...6115#post86115

Hope this helps.

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

**NewsArchive** · 08-07-2017, 04:03 AM

Friedrich,

> Note 1: you can't use SIGNTOOL.EXE Version 6.1.7000 to handle dual
> SHA-1/SHA-2 code-signing. Only SHA-2 signing works.

But if you have 6.3.9600 you can.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

**NewsArchive** · 08-08-2017, 09:48 AM

Lee,

>> Note 1: you can't use SIGNTOOL.EXE Version 6.1.7000 to handle dual
>> SHA-1/SHA-2 code-signing. Only SHA-2 signing works.
>
> But if you have 6.3.9600 you can.

Yes and no <g>. The main problem with 6.3.9600 and Windows 7 is that you
need a very *very* specific patch level to get it to work with SHA-2
(timestamping). On most machines SIGNTOOL 6.3.9600 crashes or does not
create a valid SHA-2 timestamp.

Friedrich

**NewsArchive** · 08-08-2017, 09:49 AM

Hi Friedrich,

My findings on Win7 with SIGNTOOL 6.3.9600 are that SHA256 is corrected
generated but kills the previously created SHA1. What is the asset of having
both SHA1 as well as SHA256 anyway?

Sim

**NewsArchive** · 08-08-2017, 11:20 AM

Hi Sim,

> My findings on Win7 with SIGNTOOL 6.3.9600 are that SHA256 is corrected
> generated but kills the previously created SHA1. What is the asset of
> having both SHA1 as well as SHA256 anyway?

Only SetupBuilder 10 can handle "dual" code-signing. Previous SB versions
do not know nothing about dual code signatures.

Friedrich

**NewsArchive** · 08-08-2017, 11:21 AM

>> My findings on Win7 with SIGNTOOL 6.3.9600 are that SHA256 is corrected
>> generated but kills the previously created SHA1. What is the asset of
>> having both SHA1 as well as SHA256 anyway?
>
> Only SetupBuilder 10 can handle "dual" code-signing. Previous SB versions
> do not know nothing about dual code signatures.

BTW, my previous screenshot taken on a Windows 7 machine shows a GPF when
code-signing a file with SHA-2 and adding a required SHA-2 timestamp. It
works fine with SIGNTOOL 6.3.9600 using a non-SHA-2 timestamp or no
timestamp at all.

http://www.lindersoft.com/forums/sho...6115#post86115

You need at least a SHA-2 signature with a SHA-2 timestamp. Or better, a
SHA-1 signature with SHA-1 timestamp *and* SHA-2 signature with SHA-2
timestamp (aka "dual" code-signed).

Friedrich

**NewsArchive** · 08-09-2017, 04:10 AM

Friedrich,

> > But if you have 6.3.9600 you can.
>
> Yes and no <g>. The main problem with 6.3.9600 and Windows 7 is that you
> need a very *very* specific patch level to get it to work with SHA-2
> (timestamping). On most machines SIGNTOOL 6.3.9600 crashes or does not
> create a valid SHA-2 timestamp.

See? I always KNEW I was special.... or is that spatial?

All I can report is that the current, and static (no updates), Win7 I
use handles it... as to exactly WHY, beats me!<g>

If memory serves I did have to jump through some hoops and install a
few things to make it work but I have no idea what they were.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

**NewsArchive** · 08-09-2017, 04:10 AM

Were there any bears chasing you? <g>

>
>If memory serves I did have to jump through some hoops and install a
>few things to make it work but I have no idea what they were.

Jeff Slarve
www.jssoftware.com

Untie that A-String

**NewsArchive** · 08-09-2017, 04:11 AM

Jeff,

> Were there any bears chasing you? <g>

Now that you mention it...

Lee White

Thread: SHA-2 code-signing on old Windows 7 SP1 machines

Thread Tools

Display

SHA-2 code-signing on old Windows 7 SP1 machines

Re: SHA-2 code-signing on old Windows 7 SP1 machines

Re: SHA-2 code-signing on old Windows 7 SP1 machines

Re: SHA-2 code-signing on old Windows 7 SP1 machines

Re: SHA-2 code-signing on old Windows 7 SP1 machines

Re: SHA-2 code-signing on old Windows 7 SP1 machines

Re: SHA-2 code-signing on old Windows 7 SP1 machines

Re: SHA-2 code-signing on old Windows 7 SP1 machines

Re: SHA-2 code-signing on old Windows 7 SP1 machines

Thread Information

Users Browsing this Thread

Posting Permissions