View Full Version : Comodo cert steps
NewsArchive
03-27-2015, 01:50 AM
I can't find Jane's excellent write up on the steps needed after you get
your Comodo cert. I believe these steps are streamlined now.
Anyone have a link?
--
Russ Eggen
RADFusion International, LLC
NewsArchive
03-27-2015, 01:51 AM
http://www.beachbunnysoftware.com/SB/Comodo2014.pdf is the most recent
one that I know of.
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
NewsArchive
03-27-2015, 01:52 AM
Russ,
> Anyone have a link?
What Jeff said or...
http://www.lindersoft.com/Comodo2014.pdf
Open and chew!<g>
Lee White
NewsArchive
03-27-2015, 01:52 AM
>
> Anyone have a link?
>
Or this one... :-)
http://www.lindersoft.com/forums/showthread.php?23099
Friedrich
NewsArchive
03-27-2015, 01:52 AM
Tanks!
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-01-2015, 02:19 AM
Hi Friedrich,
In two months (June 2015) we have to renew again, for 3 years.
Question:
When I codesign my application executable (build with Clarion 6.3 9058)
with SHA-2 and some users will run this executable on (for example)
Windows XP SP2, will my application still run/start? Or will they get an
error that XP SP3 is required?
Best regards,
Jeffrey
NewsArchive
04-01-2015, 08:09 AM
Hi Jeffrey,
> In two months (June 2015) we have to renew again, for 3 years.
>
> Question:
> When I codesign my application executable (build with Clarion 6.3 9058)
> with SHA-2 and some users will run this executable on (for example)
> Windows XP SP2, will my application still run/start? Or will they get an
> error that XP SP3 is required?
Windows XP SP3 users that download an executable signed with SHA-256 will
see the EXE as unsigned. They will, however, be able to run it just as if
it were an unsigned EXE.
Windows XP SP2 and older users that download an executable signed with
SHA-256 will see the EXE as unsigned. They "should" be able to run it just
as if it were an unsigned EXE, but no guarantee!
Windows Vista SP2 users that download an executable signed with SHA-256 will
see the EXE as unsigned, but be able to run it as if it were unsigned.
Windows Vista users or Vista users who have not applied KB2763674 will have
the executable silently fail when running it.
BTW, you can still use SHA-1 when you code-sign with your new SHA-2
compliant certificate.
Friedrich
NewsArchive
04-01-2015, 08:09 AM
Hi Friedrich,
> BTW, you can still use SHA-1 when you code-sign
> with your new SHA-2 compliant certificate.
That is very good to hear! :-)
But how/where can I set this to SHA-1 when code signing with SB 8.5?
Best regards,
Jeffrey
NewsArchive
04-01-2015, 08:10 AM
Hi Jeffrey,
> > BTW, you can still use SHA-1 when you code-sign
> > with your new SHA-2 compliant certificate.
>
> That is very good to hear! :-)
> But how/where can I set this to SHA-1 when code signing with SB 8.5?
The SetupBuilder 8.5 compiler supports SHA-1 (the default), SHA-2 and "dual"
SHA-1/SHA-2 code-signing. You need the SHA-2 compatible SignTool.exe from
Microsoft and set the new CODESIGN_SHA #pragma in your script. That's all
you have to do :-)
1. Download SignTool.exe Version "6.2.9200.16384" or later.
2. Point to the new SignTool.exe in the SetupBuilder IDE:
IDE -> Tools | Options... | File Locations tab
3. In the script, set the CODESIGN_SHA #pragma.
#pragma CODESIGN_SHA = "2" --> Use SHA-2
#pragma CODESIGN_SHA = "12" --> Use "dual/hybrid" SHA-1/SHA-2
Does this help?
Friedrich
NewsArchive
04-01-2015, 08:10 AM
BTW, the SetupBuilder dual (hybrid) SHA-1/SHA-2 code-signing feature
code-signs your setups/apps with SHA-1 and SHA-2. So you have two
signatures to cover all kind of Windows OS ;-)
Friedrich
NewsArchive
04-01-2015, 08:10 AM
Is that the recommended method currently?
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-01-2015, 08:11 AM
More detailed information:
http://www.lindersoft.com/forums/showthread.php?44897&p=80920
Friedrich
NewsArchive
04-01-2015, 08:11 AM
Thanks Friedrich,
SB just ROCKS!! :-)
Final question:
I also use a batch file with for example this line:
signtool sign /f MyCertificateFile.pfx /p MyPassword /t
http://timestamp.comodoca.com/authenticode /d "File Description" MyApp.exe
Do I have to change something in order to use SHA-1/SHA-2?
Best regards,
Jeffrey
NewsArchive
04-01-2015, 08:11 AM
>
> SB just ROCKS!! :-)
>
Thank you :-)
> Final question:
> I also use a batch file with for example this line:
>
> signtool sign /f MyCertificateFile.pfx /p MyPassword /t
> http://timestamp.comodoca.com/authenticode /d "File Description" MyApp.exe
>
> Do I have to change something in order to use SHA-1/SHA-2?
Why don't you use the "#code-sign application..." compiler directive and let
SetupBuilder do the dirty work for you? ;-)
Friedrich
NewsArchive
04-01-2015, 08:12 AM
MS does not make this easy. When I search for signtool, I get a lot of
links with all sorts of versions, names and for versions of .NET and no
version numbers visible in the links I visited. Do you have a link?
> 1. Download SignTool.exe Version "6.2.9200.16384" or later.
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-01-2015, 12:38 PM
Russ,
>
> Is that the recommended method currently?
>
The problem is that lots of users are still running "unsupported" Windows
versions. Microsoft is doing dual SHA-1/SHA-2 code-signing for tools that
can be used on "outdated" Windows versions. It's not really documented.
They are doing SHA-2 for new tools (which are not compatible with older
Windows versions).
Friedrich
NewsArchive
04-01-2015, 12:38 PM
Your prose in your doc and messages are quite clear and precise. It
reads far more better than the American tech writers working at
Microsoft! :-)
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-01-2015, 12:39 PM
> Your prose in your doc and messages are quite clear and precise. It reads
> far more better than the American tech writers working at Microsoft! :-)
<g> Thank you :-)
Friedrich
NewsArchive
04-01-2015, 12:40 PM
Hi Friedrich,
> Why don't you use the "#code-sign application..."
> compiler directive and let
> SetupBuilder do the dirty work for you? ;-)
I know this directive, but sometimes I have to run my own batchfile to
"quick and dirty" sign some exe/dll files.
So do I have to change something in order to use SHA-1/SHA-2?
Thanks!
Best regards,
Jeffrey
NewsArchive
04-01-2015, 12:41 PM
> MS does not make this easy. When I search for signtool, I get a lot of
> links with all sorts of versions, names and for versions of .NET and no
> version numbers visible in the links I visited. Do you have a link?
As far as I know, signtool.exe (6.3.9600.16384) is part of the Windows SDK
8.1. You need 6.3.9600.16384 (or later) to fix a RFC-3161 code-signing
issue on Windows 7.
See private email.
Friedrich
NewsArchive
04-01-2015, 12:41 PM
Thanks - got it.
--
Russ Eggen
RADFusion International, LLC
NewsArchive
04-02-2015, 02:22 AM
> I know this directive, but sometimes I have to run my own batchfile to
> "quick and dirty" sign some exe/dll files.
Why not just create a simple utility script in SetupBuilder that takes a
command line parameter for the filename?
Then you just call it from your batch file (with the full path and
filename, retrieve that in SetupBuilder and let it do the code sign for?
You could even use the #copy directive then to put the signed version where
you want it to be.
Little SetupBuilder utility tools like this are a lot easier than trying to
get batch files to work IMHO.
:-)
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
NewsArchive
04-02-2015, 02:23 AM
Charles Edmonds,
> Little SetupBuilder utility tools like this are a lot easier than trying to
> get batch files to work IMHO.
And powerful too!
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Creative Reporting: http://www.CreativeReporting.com
Product Release & Update Notices
http://twitter.com/DeveloperPLUS
Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
NewsArchive
04-02-2015, 02:23 AM
Good idea Charles!
Thanks for the tip.
Best regards
Jeffrey
NewsArchive
04-02-2015, 02:23 AM
I am also interested in this link.
Best regards,
Jeffrey
NewsArchive
04-03-2015, 02:22 AM
Hi Friedrich,
In the past I ordered the certificate from my VM with Windows XP/IE8.
Is this still safe?
I can also use my Windows 7 machine with IE9 (32 or 64 bit?).
Best regards,
Jeffrey
NewsArchive
04-03-2015, 02:23 AM
Hi Jeffrey,
> In the past I ordered the certificate from my VM with Windows XP/IE8.
> Is this still safe?
>
> I can also use my Windows 7 machine with IE9 (32 or 64 bit?).
I would suggest to use Windows 7 (or later) with Internet Explorer. The
certificate will make it directly into your IE certificate store. After
that, you can export it to a .PFX and use it in SetupBuilder.
Here is an interesting link:
http://www.lindersoft.com/forums/showthread.php?23099
http://www.lindersoft.com/Comodo2014.pdf
Does this help?
Friedrich
NewsArchive
04-03-2015, 02:23 AM
Hi Friedrich,
> Does this help?
Ja, vielen Dank!
Best regards,
Jeffrey
NewsArchive
04-03-2015, 02:23 AM
Hi Jeffrey,
>
> Ja, vielen Dank!
>
You are very welcome :-)
Friedrich
NewsArchive
04-08-2015, 02:36 AM
Hi Friedrich,
I still use SB 8.5 in my VM with Windows XP SP3.
Will the new signtool.exe (32-bits version) also work under Windows XP SP3
and can I use the dual (hybrid) SHA-1/SHA-2 code-signing feature?
Best regards
Jeffrey
NewsArchive
04-08-2015, 02:36 AM
Hi Jeffrey,
> I still use SB 8.5 in my VM with Windows XP SP3.
> Will the new signtool.exe (32-bits version) also work under
> Windows XP SP3 and can I use the dual (hybrid) SHA-1/SHA-2
> code-signing feature?
No, the new signtool.exe does not work on XP. Signtool.exe version
6.3.9600.16384 needs Windows 7 and later. The older signtool.exe version
6.2.9200.16384 (not recommended!) needs Windows 8 and later.
Friedrich
NewsArchive
04-08-2015, 05:04 AM
Hi Friedrich,
Ok, I see.
But can I still (for the time being) use SHA-1 with my new Comodo
certificate I got yesterday from Comodo, with SB 8.5 under Windows XP?
(Of course with the signtool.exe/capicom.dll from 2008.)
BTW: Did you receive my private mail about version 6.2.9200.16384 ?
Best regards,
Jeffrey
NewsArchive
04-08-2015, 05:05 AM
Hi Jeffrey,
> Ok, I see.
>
> But can I still (for the time being) use SHA-1 with my new Comodo
> certificate I got yesterday from Comodo, with SB 8.5 under Windows XP? (Of
> course with the signtool.exe/capicom.dll from 2008.)
Yes, you can still use the old pre-6.2.9200.16384 signtool.exe under Windows
XP with your new certificate!
>
> BTW: Did you receive my private mail about version 6.2.9200.16384 ?
>
Yes, sorry. Should read "6.2.9200.16384" and not "6.3.9600.16384" in my
email.
Friedrich
NewsArchive
04-08-2015, 05:05 AM
Great, thanks!
Best regards,
Jeffrey
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.