My code-signing certificate was expiring, so time to face the Comodo ordeal
again.

And to encounter the new (to me) wrinkle of SHA-2.

In case it might help anybody, I put together a few notes and screen shots
of the process:

http://www.beachbunnysoftware.com/SB/Comodo2014.pdf

Jane

Thank you SO MUCH, Jane. Working on built-in support for SHA-2.

Friedrich

This SHA-2 stuff is all new to me, Friedrich.
The screen shots showing the intermediate chain signatures from Comodo still
show SHA-1 hashes. But at least the "primary signature" shows the longer
hash. So I hope that means all's OK.

Since SB has to rely on the version of signtool.exe that your customers have
installed, that will also be a factor. As I said, my 2006 (!!) version of
signtool doesn't recognize the /fd switch.

I can update this PDF after you decide how you're going to implement SHA-2
in SB.

Jane

Hi Jane,

I think the new SHA-2 option is available now because as of late August
2013, all valid (not expired, not revoked) Comodo
Code Signing Certificates can be used for Kernel-Mode Code Signing (Windows
Vista and greater).

As far as I can see, only SignTool.exe from the Windows 8 WDK supports
SHA-2.

Friedrich

Does that mean that SHA-2 can only be signed in Win8+ machines?

Thanks

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Thank you!

J André Labuschagné

Thanks Jane! Definitely looks like the process is streamlined when
compared to the past.

But I'm a bit lost with the SHA-1/2 type thing. Do you apply that with
a different tool after you export it or does Comodo deliver it that way
since you did make a preference during the order process?

--

Russ Eggen
RADFusion International, LLC

As a follow-up, any downside to SHA-1? I know its deprecated, but aside
from that...

--

Russ Eggen
RADFusion International, LLC

All I can do, Russ, is cast lotus blossoms upon the waters and admire their
drift....

I proclaim my ignorance of the implications and mechanics of the SHA-1
deprecation, and will await eventual enlightenment from Friedrich.

As always ;-)


Jane

Okey-doke.

--

Russ Eggen
RADFusion International, LLC

Thanks a lot, Jane. I'd better save that off right now.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

> My code-signing certificate was expiring, so time to face the Comodo ordeal
> again.

Jane,

Thanks Much! Excellent! Many will find this extremely helpful as they go
through the process now or near future.

one minor slip during Chat -

Tina: Jane Fleming available at this # now

you: Yes

Tina: okay he (Jane!) will receive call in a couple minutes.

OK, maybe Tina listened to "A Boy Named Sue" one too many times! :-)

Having your call back phone number easily verifiable was a plus for you -
probably one of the biggest hangup for others currently if you don't have a
D&B account you can easily access and change number.

Thanks again - Cheers!

David

--
From David Troxell - Product Scope 8.5! - Encourager Software
Email - mailto:pe_Remove_@_Me_encouragersoftware.com
http://www.encouragersoftware.com/product-scope-major-features.html

Russ,

I know that Symantec support is very busy because support for SHA-2 is not
really there for a lot of systems and they recommend to use SHA-1 to
code-sign for Win7 and Win8.

I have contacted Comodo to see what they say.

Friedrich

Thanks. I think I have another year on my 3 year window. By the time I
need to renew, perhaps that subject will be settled.

Some folks like putting all the newest features in their stuff, I look
at it more towards "does it make business sense?" Thus I was wondering
what SHA-2 gives us over SHA-1. If it turns out to be important (like
UAC and code signing affected installs), I'll use it.

--

Russ Eggen
RADFusion International, LLC

David,

LOL... I don't think English is the mother tongue of the Comodo people,
Anglicized names notwithstanding.

I'm just glad they speak English much better than I speak Hindi or Turkish
or .....

I have not deliberately created anything with D&B and have never paid them.
Somehow, they've dredged up my name some years back and I have gotten
occasional mailings from them asking for money... which I've studiously
ignored.

Cheers,

Jane

Thank you so much, Jane!

I have still 100 days before I have to renew, but it makes me fell much better
to know you (in person of your PDF) at my side!

I send you a big hug.

Wolfgang

Regards,
Wolfgang Orth
www.odata.de