PDA

View Full Version : Comodo Certificate Order [August 25, 2015]



NewsArchive
08-25-2015, 02:46 AM
All,

Requested a new three year Comodo code-signing certificate because our "old"
one (still valid until September 2016) did not support SHA-2. A new
certificate always means you have to build a new "reputation" for it. I
don't want to lose reputation again after one year so I decided to order a
fresh 3-year one.

Here is what I did:

1. Made sure that the WHOIS database for lindersoft.com was up-to-date and
turned OFF domain registrar's privacy service.
2. Ordered the certificate on August 24, 2015 at 4:53 PM from a Windows 7
SP1 (x64) machine using Internet Explorer.
3. Sent required documents immediately to Comodo.
4. Received callback status email from the COMODO Validation Team at 11:24
PM.

Not too bad. That was quick -- only 6 hours. I am good until August 2018
now (1096 days). Yeah!

To start the telephone callback process, I did this:

1. Opened a LiveChat on Comodo's support website. Chat partner "Martin"
started the telephone callback procedure.
2. Received another "Callback" email. In order to review our phone number
and initiate the callback I had to click a link. Then press a button to
get a phone call (DON'T close the window!!).
3. Received the phone call (computer voice) and the "lady" gave me a PIN.
4. I had to enter that PIN in the previous window.
5. 30 seconds later I received a "Your Code Signing Certificate is ready!"
email and collected my new certificate.
6. Exported the certificate to .pfx format.
7. Turned ON domain registrar's privacy service.

All system files for SetupBuilder 10 will be dual SHA-1/SHA-2 code-signed to
be ready for January 1, 2016.

Note: Microsoft will cease trusting Code Signing Certificates using SHA-1 on
January 1, 2016. Organizations need to develop a migration plan for any
SHA-1 code signing certificates that expire after January 1, 2016.

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
08-25-2015, 03:09 AM
LiveChat window, "Your Code Signing Certificate is ready!" email and
certificate collection.

Friedrich

NewsArchive
08-25-2015, 05:59 AM
What happened with posibility to get new version with SHA-2 for existing certificates?

Darko

NewsArchive
08-25-2015, 05:59 AM
Darko,

> What happened with posibility to get new version with SHA-2
> for existing certificates?

You will be able to get a free replacement SHA-2 certificate from Comodo if
your current one support SHA-1 only (e.g. code-signing certificates issued
after 22nd September 2014 which expires after 2015).

Friedrich

NewsArchive
08-25-2015, 06:00 AM
By the way, you can still use the new SHA-2 based certificates to code-sign
with SHA-1. Absolutely no problem. But Microsoft will cease trusting Code
Signing Certificates using SHA-1 on January 1, 2016.

You can use SetupBuilder 10 to code-sign your files and installations with
SHA-1, SHA-2 or dual SHA-1/SHA-2.

Friedrich

NewsArchive
08-25-2015, 09:07 AM
Thanks Friedrich for detailed explanation, but your math still worries me, as
my 3 year comodo expires at 25.02.2017,
and you said "free replacement for code-signing certificates issued after 22nd
September 2014". Mine is issued at 25.02.2014 so it's before 22.09.2014,
Or I misunderstood what you said?.

Many thanks
Darko

NewsArchive
08-25-2015, 09:08 AM
Hi Darko,

Sorry, should read "...issued BEFORE 22nd September 2014 which expires after
2015...".

On September 22, 2014 Comodo started the new "SHA-2 only" program.

Friedrich

NewsArchive
08-25-2015, 09:08 AM
Ah, now make sense
Thanks Friedrich

Darko

NewsArchive
08-25-2015, 09:21 AM
Friedrich,

Did they ask you for a phone number in the chat, or go by some number they
looked up somewhere?

Jane

NewsArchive
08-25-2015, 12:06 PM
Hi Jane,

> Did they ask you for a phone number in the chat, or go by some number they
> looked up somewhere?

They have used the number from the WHOIS record (and they perform callback
only to the number listing in online directories).

For example:

http://www.numberway.com/,
http://world.192.com/

First, I sent an email to their support. But after two hours of waiting for
a callback, I decided to open a LiveChat session. Two minutes later I had
my certificate ready-to-sign <g>

From the transcript of the chat:

---

Martin: Just a moment please , let me check the order status

Martin: shall we make a call now ?

Hi, this is Friedrich Linder: Yes, please :-)

Martin: Sure :)

Martin: Done

---

Friedrich

NewsArchive
08-25-2015, 12:06 PM
Thanks, Friedrich,

WHOIS is good.

The last time for me, I think they got my number from Dun & Bradstreet. I
didn't even know that D&B had a listing for me. Since then, I've canceled
the phone number they used last time. And I don't want to have to open a
D&B account in order to update that incorrect phone number in order to renew
my certificate next time.

Fortunately, "next time" isn't for 18 months.

But time goes faster as I get older !!!!

Jane

NewsArchive
08-25-2015, 12:09 PM
Hi Friedrich,

> Not too bad. That was quick -- only 6 hours. I am good until August 2018
> now (1096 days). Yeah!

I'm hoping for a quick turn around also when I order after the weekend.
I'd somehow got my reminder in in September and was rather displeased
to discover yesterday that the certificate expired last Friday!<g> Have
Jane's docs ready at hand:)

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

NewsArchive
08-25-2015, 12:10 PM
Hi Jane,

> canceled the phone number they used last time. And I don't want to
> have to open a D&B account in order to update that incorrect phone
> number in order to renew my certificate next time.

I can't even see the phone number listed for me without signing up with
D&B. And they have the address wrong (changed in 2010;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
08-25-2015, 12:11 PM
Arnor,

> I can't even see the phone number listed for me without signing up with
> D&B. And they have the address wrong (changed in 2010;)

They tend not to update information unless you pay them. I dissolved
the corporation in 2006 but they still have DeveloperPLUS listed as a
corporation. Duh!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
08-25-2015, 12:11 PM
Maybe they'll send you an anniversary card next year<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
08-26-2015, 01:51 AM
Jeff,

> Maybe they'll send you an anniversary card next year<g>

I should probably expect it!<g> AMEX gets mailing lists from D&B and
they are constantly sending offers to the corporation that isn't!<g>

Can't sit in front of this thing long. Just got back from having my
eyes dilated and dyed for several tests - can't focus at all which is
why I went - they made it worse and charged me $260. Shoulda stayed
home!!!!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
08-26-2015, 01:52 AM
If you have to get something dilated, the eyes are a good first
choice.<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
08-26-2015, 01:52 AM
Jeff,

> If you have to get something dilated, the eyes are a good first
> choice.<g>

True but I would have preferred the method I used in my 20's!<g>

Lee White

NewsArchive
08-26-2015, 01:53 AM
alrighty, then.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
08-26-2015, 01:53 AM
Jeff,

> alrighty, then.

But I never inhaled, honest... wait, I'm not a politician, am I?!<g>

Lee White

NewsArchive
08-26-2015, 01:54 AM
Wasn't that supposed to be good for glaucoma anyway???

Jane Fleming

NewsArchive
08-26-2015, 01:54 AM
Jane,

> Wasn't that supposed to be good for glaucoma anyway???

It's good for a lot of things, or so Sanjay says.<g>

I don't have glaucoma but I do have the early stages of cataracts...
that's close enough, right?!<g> (no worries - purely age related)

Lee White

NewsArchive
08-26-2015, 01:54 AM
Lee,

Cataracts are a lot less of an issue than back when you were a pup. I've
watched a lot of IOL surgeries. Patients are amazed at how well they can
see the very next day.

OTOH... if you prefer herbal therapy ;-)

jf

NewsArchive
08-26-2015, 01:58 AM
So after my earlier post, I delayed doing productive work for a half hour
this morning whilst spelunking through crannies of the D&B website.
Wish I could point to the specific link... but I was heartened by one of
their dropdowns promising the ability to edit information without paying
them.
So I did create a free account, and that let me zap the invalid phone
number. Unfortunately, it wouldn't let me just leave the phone blank.

Of course... it might be fun to set the phone number on D&B to Comodo's
number <G>

Cheers, all,

Jane

NewsArchive
08-26-2015, 11:10 AM
Jane,

> OTOH... if you prefer herbal therapy ;-)

Getting back to nature!<g>

Lee White

NewsArchive
08-27-2015, 02:24 AM
> But Microsoft will cease trusting Code
> Signing Certificates using SHA-1 on January 1, 2016.

Does that mean that all previously distributed EXE etc become invalid??????

Don't make me nervous, man!



Regards,
Wolfgang Orth
www.odata.de

NewsArchive
08-27-2015, 02:25 AM
Hi Wolfgang,

> Does that mean that all previously distributed EXE etc become
> invalid??????
>
> Don't make me nervous, man!

Windows will stop accepting SHA-1 code-signed files that are time stamped
AFTER 1 January 2016. SHA-1 code-signed files time stamped by an RFC 3161
Time Stamp Authority BEFORE 1 January 2016 will be accepted until such time
when Microsoft decides SHA-1 is vulnerable to pre-image attack.

Friedrich

NewsArchive
08-27-2015, 10:39 AM
> Don't make me nervous, man!

By the way, I think my answer was not quite clear. Yes, all previously
code-signed EXE/DLL/etc. files become invalid if they were code signed using
the "standard" Microsoft Authenticode compatible time stamp. To support
older Windows operating systems and new UAC-aware Windows after 1 January
2016, you have to dual SHA-1/SHA-2 code-sign using Microsoft Authenticode
compatible time stamp and RFC 3161 compliant trusted time stamp servers
(SHA-2 compatible code-signing certificate is required).

Of course, the upcoming SetupBuilder 10 can handle this for you (dual
SHA-1/SHA-2 code-sign your application files and the setup.exe).

Friedrich

NewsArchive
08-27-2015, 10:40 AM
Friedrich,

> Yes, all previously
> code-signed EXE/DLL/etc. files become invalid if they were code signed using
> the "standard" Microsoft Authenticode compatible time stamp.

So everything that's already been signed is suddenly invalid and has
to be redone??? Seriously?!

So old signed installs and install contents have to be re-signed and
uploaded... that's a lot of stuff to contend with, a LOT of stuff!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
08-27-2015, 10:40 AM
Lee,

> So everything that's already been signed is suddenly invalid and has
> to be redone??? Seriously?!

Yes, that's the plan if the files are not time stamped by an RFC 3161 Time
Stamp Authority before 1 January 2016 <bg>

> So old signed installs and install contents have to be re-signed and
> uploaded... that's a lot of stuff to contend with, a LOT of stuff!

Ohhh yes. I am busy re-compiling all my original application files, all the
core redistributables, etc. Tons of stuff, terabytes of data.

Friedrich

NewsArchive
08-27-2015, 11:36 AM
BTW, I am working on our migration plan for the old SHA-1 code signing
certificate for more than three months now (including research and
development). More work than the Year 2000 "problem" <g>. And this will
DEFINITELY result in a support nightmare for quite a few developers on
January 2, 2016.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
08-27-2015, 01:32 PM
Friedrich,

> Yes, that's the plan if the files are not time stamped by an RFC 3161 Time
> Stamp Authority before 1 January 2016 <bg>

Not sure exactly what that means but all my existing 3rd party product
installers will remain as is... don't have the time or inclination to
redo them all and they're already signed and time stamped.

If that's a problem then Clarion Developers will just have to trust
the old installs... c'est la vie.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
08-27-2015, 01:33 PM
la vie!

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
08-28-2015, 02:08 AM
> If that's a problem then Clarion Developers will just have to trust
> the old installs... c'est la vie.

Unless Windows decides to not allow them to install at all...

Time will tell I guess<g>.


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
08-28-2015, 02:08 AM
Charles,

> Unless Windows decides to not allow them to install at all...

Considering Windows still allows unsigned installs to run I doubt
seriously they would utterly prevent it. I'm fairly certain there
would be a rather loud voice heard in Redmond if they did.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
08-28-2015, 02:09 AM
I hope that your voice of sanity will prevail.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
08-28-2015, 02:09 AM
Jeff,

> I hope that your voice of sanity will prevail.

After I retire, if that ever happens, I won't care!<g>

Reached early retirement age, and reverse mortgage age, earlier this
month but neither are going to happen just yet.

Lee White

NewsArchive
08-28-2015, 02:10 AM
> Considering Windows still allows unsigned installs to run I doubt
> seriously they would utterly prevent it. I'm fairly certain there
> would be a rather loud voice heard in Redmond if they did.

Allowing the installer to run and allowing it to place files are two
different things<g>.

Of course now that SV no longer defaults to installing Clarion under
Program Files, for the moment it is less of an issue.

But I have seen installers that were code signed (but not manifested for
the target OS for example) that ended up with an "empty" install under the
Program Files folder. Nothing in there but the install.log and the
SetupBuilder generated uninstall.exe.

So I'd guess that anything is possible where MS is concerned<g>.

Then again, even if they heard you all the way out in Redmond, do you think
they'll pay any attention to you<g>?


:-)

Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
08-28-2015, 02:11 AM
Charles,

> Then again, even if they heard you all the way out in Redmond, do you think
> they'll pay any attention to you<g>?

Support email redirect!!!

Lee White

NewsArchive
08-28-2015, 02:11 AM
Lee,

>> Yes, that's the plan if the files are not time stamped by an RFC 3161
>> Time
>> Stamp Authority before 1 January 2016 <bg>
>
> Not sure exactly what that means but all my existing 3rd party product
> installers will remain as is... don't have the time or inclination to
> redo them all and they're already signed and time stamped.
>
> If that's a problem then Clarion Developers will just have to trust
> the old installs... c'est la vie.

By default, timestamping is done using Microsoft Authenticode compatible
time stamp and not the RFC 3161 compliant trusted time stamp servers. You
need a specific SignTool version and at least Windows 7 SP1 to support RFC
3161. In SetupBuilder 8.5, you can use the following #pragma to support RFC
3161:

#pragma CODESIGN_TSTYPE = "1"

If you are not using RFC 3161 then all your files are Microsoft Authenticode
compatible time stamped and are suddenly invalid on January 02, 2016.

I have to redo all files because quite a few companies have the "User
Account Control: Only elevate executables that are signed and validated"
security policy enabled. This blocks elevation if the code-signature is
invalid.

Friedrich

NewsArchive
08-28-2015, 11:50 AM
To be accurate, I don't think it's absolutely true that files themselves are
"suddenly invalid" on that date.

Rather, the timestamp is not valid.

The purpose of the timestamp is to keep your file valid after its
certificate has expired. (i.e., to prove that the certificate was valid at
the time of signing.)
https://msdn.microsoft.com/en-us/library/windows/desktop/bb931395%28v=vs.85%29.aspx

So if your certificate expires on, say, October 12, 2016, that's when the
file signed with that certificate would become invalid.

At least... that's how I remember it. Don't know whether that aspect has
changed with SHA-2??

jf

NewsArchive
08-28-2015, 11:51 AM
Hi Jane,

> To be accurate, I don't think it's absolutely true that files themselves
> are "suddenly invalid" on that date.
>
> Rather, the timestamp is not valid.

Yes, that's what I meant. Sorry for the confusion!!! Of course, the files
themselves are not "suddenly invalid" on that date. The code-signature
becomes invalid on January 02, 2016. So customers will get a warning after
the download, or when they try to start a downloaded file, setup elevation
might not work (e.g. if the "User Account Control: Only elevate executables
that are signed and validated" security policy is enabled), anti-virus and
anti-spyware might block the files, etc.

Friedrich

NewsArchive
08-28-2015, 11:52 AM
Friedrich,

>If you are not using RFC 3161 then all your files are Microsoft Authenticode
>compatible time stamped and are suddenly invalid on January 02, 2016.

you seriously HAVE TO do a feature presentation on ClarionLive!

And it has to happen early enough, before this nightmare breaks out!

My beg you to contact John Hickey ASAP, so that you get a timeslot soon after the CIDC.

Please don't get me wrong, I do not want to dictate your work and your
schedule, but this topic looks damned serious to some folks, so your kharma
would benefit a lot if you help out with a webinar.....


Regards,
Wolfgang Orth
www.odata.de

NewsArchive
08-28-2015, 11:53 AM
Wolfgang,

I'll see what I can do. I agree 100%. This really is a serious issue.

Friedrich

NewsArchive
08-29-2015, 03:26 AM
Friedrich,

> I'll see what I can do. I agree 100%. This really is a serious issue.

If not, at least let Jane do it... she's infamous, notorious AND likes
the limelight!<g>

Lee White

NewsArchive
08-29-2015, 03:27 AM
Hi Lee,

> Not sure exactly what that means but all my existing 3rd party product
> installers will remain as is... don't have the time or inclination to
> redo them all and they're already signed and time stamped.

Ditto. I have 195 installer exes going back 7 or 8 years, and there is
not a chance in h*** I'm going to redo them;)

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

NewsArchive
08-30-2015, 04:57 AM
> By the way, I think my answer was not quite clear. Yes, all previously
> code-signed EXE/DLL/etc. files become invalid if they were code signed using
> the "standard" Microsoft Authenticode compatible time stamp. To support
> older Windows operating systems and new UAC-aware Windows after 1 January


So to be clear about this.

Software installed by install disks / files that people were issued years ago,
by companies that may no longer exist, will not be able to be re-installed?


??!!



John Newman
Software Partners Australia
C10

NewsArchive
08-30-2015, 04:57 AM
Hi John,

> So to be clear about this.
>
> Software installed by install disks / files that people were issued years
> ago, by companies that may no longer exist, will not be able to be
> re-installed?

The code-signature becomes invalid on January 02, 2016. What will happen is
that customers will get a warning after the download, or when they try to
start an application. Setup elevation might not work (e.g. if the "User
Account Control: Only elevate executables that are signed and validated"
security policy is enabled) -- to work around this, the UAC policy can be
temporarily disabled. Anti-virus and anti-spyware are a bigger problem here
because they do not like invalid code-signatures at all (it's better to have
no signature instead of an invalid one).

The deprecation of SHA-1 will cause a LOT of headache and a support
nightmare for companies without a migration plan for any SHA-1 code signing
certificates that expire after January 1, 2016 or files that are not RFC
3161 compliant trusted time stamped.

BTW, and a lot of software products only work if the code-signature is valid
(they internally check the signature status). If the code-signature becomes
invalid on January 02, 2016, the product will stop working.

Friedrich

NewsArchive
08-30-2015, 08:49 AM
>> So to be clear about this.
>>
>> Software installed by install disks / files that people were issued years
>> ago, by companies that may no longer exist, will not be able to be
>> re-installed?
>
>The code-signature becomes invalid on January 02, 2016. What will happen is
>that customers will get a warning after the download,


> or when they try to start an application.

This is true for ALL our userbase, for ALL our programs that are code-signed,
for ALL version of Windows since Vista?

In other words, on 02. Jan. 2016 a global nightmare will start at all support desks.

Great!

I think I will prolong my Christmas vacation.....




Regards,
Wolfgang Orth
www.odata.de

NewsArchive
08-31-2015, 08:01 AM
I don't know if I am reading this wrong but thia artilcle:

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Under the Code Signing Certificates section, I think it is saying that if
the code is signed with SHA-1 and has a timestamp before January 1, 2016 it
will be OK until January 14, 2020.

Michael Melby

NewsArchive
08-31-2015, 08:02 AM
Michael,

>I don't know if I am reading this wrong but thia artilcle:
>
> http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
>
> Under the Code Signing Certificates section, I think it is saying that
> if the code is signed with SHA-1 and has a timestamp before January 1,
> 2016 it will be OK until January 14, 2020.

Yes, if you have timestamped the files with a RFC 3161 compliant trusted
time stamp servers. But you need a very specific Authenticode signing tool
and Windows 7 SP1+ (better Windows 8 or later) to support RFC 3161. IMO,
99% of all developers have used the "standard" Microsoft Authenticode
compatible time stamp :-) As a result, the signature becomes invalid on
January 02, 2016.

Friedrich

NewsArchive
09-01-2015, 08:07 AM
> The code-signature becomes invalid on January 02, 2016. What will happen
is...


Thank you for that explaination, Friedrich.


John Newman
Software Partners Australia
C10

NewsArchive
09-02-2015, 01:44 AM
> If not, at least let Jane do it... she's infamous, notorious AND likes
> the limelight!<g>

Not a single comment... DAMN... I'M IN TROUBLE!!!!

Lee White

NewsArchive
09-02-2015, 01:45 AM
Maybe because you're infamous, notorious, AND like the limelight!?<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
09-02-2015, 01:45 AM
Jeff,

> Maybe because you're infamous, notorious, AND like the limelight!?<g>

Who, ME?!<g>

Lee White

NewsArchive
09-07-2015, 12:13 PM
Hi Friedrich,

> All system files for SetupBuilder 10 will be dual SHA-1/SHA-2 code-signed
> to be ready for January 1, 2016.

This stuff confuses the hell out of me! Having a look at getting sha-2
code-signing working for a client and leaving it for the morning :-)

BUT. Out of interest and hoping for some clues, went to look at "Properties"
/ "Digital Signatures" of sb8.exe (dated 15/4/2015 - can that really be
latest, think so?) and the "Digest algorithm" is md5.

Suppose I was expecting to see sha1. There is talk of "dual signing", so
maybe I also expected a second sha2 entry in the Signature list...

But there it is: a solitary md5

So why is that???

Thanks,
Simon

NewsArchive
09-08-2015, 01:37 AM
Simon,

> But there it is: a solitary md5

That's the "Digest algorithm" from his prior certificate. He has a
newer one now which won't be md5!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
09-08-2015, 01:38 AM
Hi Simon,

Exactly what Lee said. Our "old" code-signing certificate did not support
SHA-2. The new one does and in the upcoming SetupBuilder 10 all new files
will be dual SHA-1/SHA-2 code-signed.

Friedrich

NewsArchive
03-22-2018, 04:28 AM
How to export the certificate:

https://support.comodo.com/index.php?/Knowledgebase/Article/View/1004/0/export-certificates-windows