PDA

View Full Version : Playing with 8.5.4648


NewsArchive
01-05-2015, 04:13 AM
Gruß Friedrich!
Happy New Year and Happy New 8.5!

A few random observations following my replies to Craig.

Playing with code-signing with 8.5.4648

As I mentioned to Craig, I tried kludging the newer signtool (from 8.1) onto
my Win7 machine.

Copying it along with mssign32.dll, the 3161 timestamp does work.

If I use that along with my own batch file, it will sign SHA256 or SHA512
and timestamp with a 3161 server.

In SB on the Win7 machine
1. it will timestamp with a 3161 server
2. it will NOT work with the SHA pragma set to 12 or to 2

On my Win 8.1 VM, where the tools are legitimately installed, everything
works correctly.

But a suggestion -
maybe somehow flag which timestamp servers work with 3161?

Experimenting,
using http://timestamp.comodoca.com/rfc3161 (which I found on comodo's
website) does work.
using http://timestamp.comodoca.com/authenticode (from the dropdown in SB)
does NOT work.
using http://timestamp.verisign.com/scripts/timstamp.dll (from the dropdown
in SB8) does NOT work.
using http://timestamp.globalsign.com/scripts/timestamp.dll (from the
dropdown in SB8) DOES work.
using http://timestamp.geotrust.com (from the dropdown in SB8) does NOT
work.

One other oddity... since I moved SB to my 8.1 VMware machine.
Intermittently, code-signing fails if I'm signing a file in the installer
and the installer itself.
It will sign the included file and the uninstaller, then fail on the
installer.

But all is fine if I disable AVG.

So many options. So few brain cells.

Thanks for slaving over a hot keyboard!

Jane
NewsArchive
01-05-2015, 04:14 AM
Hi Jane!

Thanks for this post and the two replies to my earlier one.

Craig E. Ransom
Tracker Software Products, Ltd.
http://tracker-software.com/
NewsArchive
01-05-2015, 07:34 AM
Hi Jane,

HAPPY NEW YEAR :)

> If I use that along with my own batch file, it will sign SHA256 or SHA512
> and timestamp with a 3161 server.

What command line are you using?

> In SB on the Win7 machine
> 1. it will timestamp with a 3161 server
> 2. it will NOT work with the SHA pragma set to 12 or to 2

I think it requires a very specific Windows 7 patch level and/or specific
signtool.exe version (and/or dependency). I have one clean Windows 7 where
signtool.exe GPFs during the timestamping process. The same works perfect
on another Windows 7 machine and on Windows 8.1 and Windows 10. All these
issues are not documented by Microsoft :-(

I think I'll set the default back to "non-3161" timestamping. It still
causes too many problems (especially on older operating systems).

> On my Win 8.1 VM, where the tools are legitimately installed, everything
> works correctly.

> But a suggestion -
> maybe somehow flag which timestamp servers work with 3161?

Good idea. And I'll add the 3161 Comodo server. Did not know they have
one.

> One other oddity... since I moved SB to my 8.1 VMware machine.
> Intermittently, code-signing fails if I'm signing a file in the installer
> and the installer itself.
> It will sign the included file and the uninstaller, then fail on the
> installer.
>
> But all is fine if I disable AVG.

What you can do is to add the signtool.exe to your AVG "exclusion" list.
AVG "blocks" your signtool.exe utility when calling it multiple-times
(false-positive bug). As a result, it can't send the hash to the timestamp
server.

Friedrich
NewsArchive
01-05-2015, 07:37 AM
Okay, some more information:

I have tested the 6.2.9200.16384 signtool.exe in combination with
mssign32.dll on Windows 7, Windows 8, Windows 8.1 and Windows 10.

On a clean Windows 7, timestamp with a 3161 server works. SHA-2
code-signing does NOT work (results in a "Multiple signature support not
implemented" error).

The same process with the very same 6.2.9200.16384 files works fine on
Windows 8.0, Windows 8.1 and Windows 10. Both timestamping with a 3161
server and SHA-2 signing.

@Jane: you said that you can SHA-2 sign via the command line on your Windows
7 machine. The SetupBuilder compiler is using the following format:

signtool.exe sign /as /fd sha256 /f "mykey.pfx" /p
"topsecretpasswordgoeshere" /du "www.lindersoft.com" /d "test" /tr
"http://timestamp.geotrust.com" /td sha256 /v "sb8.exe"

What command line are you using? I think you are using the signtool.exe
from the 8.1 SDK, so perhaps this makes a difference on Windows 7?

Thanks,
Friedrich
NewsArchive
01-05-2015, 11:31 AM
Won't have time to write until I get home tonight.

My batch file (that does work on the Win7 machine with the copied signtool
and DLL) is

signtool sign /f Jane14.pfx /p TopSecret!! /tr
http://timestamp.globalsign.com/scripts/timestamp.dll /td sha256 /d "Groovy
Software" /du http://www.beachbunnysoftware.com/ /fd SHA256 /v %1

I haven't tried /as on this machine to do a dual signature.

More tonight...

Jane
NewsArchive
01-05-2015, 11:38 AM
Thank you, Jane !!! I think your signtool.exe versions 6.3.9600.16384 is
what makes the difference here.

The older signtool.exe version 6.2.9200.16384 works fine on Windows 8.0,
Windows 8.1 and Windows 10 (timestamp with a 3161 server, SHA-2 and dual
SHA-1/SHA-2 signing). Perhaps Microsoft fixed it with 6.3.9600.16384.
We'll have to check this.

Friedrich