PDA

View Full Version : Reminder: Deprecation of SHA-1 for Microsoft Root Certificate Program [August 27, 201



NewsArchive
08-27-2015, 10:06 AM
All,

As you probably know, Microsoft published a security advisory on
"Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate
Program". The policy takes effect after January 1, 2016 and requires CAs to
migrate to the stronger SHA-2 hashing algorithm.

Organizations need to develop a migration plan for SHA-1 code signing
certificates that expire after January 1, 2016. To support
older Windows operating systems (e.g. Windows XP, Vista, early Windows 7
versions) and modern Windows systems (Windows 8.x and later) after 1 January
2016, you have to dual SHA-1/SHA-2 code-sign your files using Microsoft
Authenticode compatible time stamp and RFC 3161 compliant trusted time stamp
servers (SHA-2 compatible code-signing certificate is required).

Only 127 days left... !!!

But don't panic. The upcoming SetupBuilder 10 Developer Edition can dual
SHA-1/SHA-2 code-sign your application files and the setup.exe for you :-)
More info to come soon.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
08-28-2015, 02:03 AM
I ordered a 3yr certificate from Comodo on 10th January 2014 so that doesn't
expire until 2017.

However, at the time, SHA-1 was the only choice so that's what I have.

Do I now have to buy another certificate so that I can sign my apps after
January 2016?

Cheers
Paul

NewsArchive
08-28-2015, 02:04 AM
http://www.lindersoft.com/forums/showthread.php?46841-Comodo-Certificate-Order-August-25-2015
(note that a subsequent post revises the date information to "before sept
2014".)
"
You will be able to get a free replacement SHA-2 certificate from Comodo if
your current one support SHA-1 only (e.g. code-signing certificates issued
after 22nd September 2014 which expires after 2015).

Friedrich
"
Jane Fleming

NewsArchive
08-28-2015, 02:13 AM
Hi Friedrich,

I see the SHA1 Deprecation Policy has been recently updated.

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Bob

NewsArchive
08-28-2015, 02:13 AM
Hi Bob,

> I see the SHA1 Deprecation Policy has been recently updated.
>
> http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

My information comes from the latest June 2015 Comodo Partner update...

In short, if a developer is not using RFC 3161 time stamp then all files are
Microsoft Authenticode compatible time stamped and are suddenly invalid on
January 02, 2016.

The only way to support old and new Windows operating systems after January
1, 2016 is to use dual SHA-1/SHA-2 signing with both Microsoft Authenticode
compatible and RFC 3161 time stamping.

Friedrich

NewsArchive
08-28-2015, 02:15 AM
Thanks Jane

I'll check it out.

Paul

NewsArchive
08-28-2015, 08:52 AM
Okay, thanks for the confirmation/clarification.

Bob Campbell

NewsArchive
08-28-2015, 11:48 AM
Jane,

> You will be able to get a free replacement SHA-2 certificate from Comodo if
> your current one support SHA-1 only (e.g. code-signing certificates issued
> after 22nd September 2014 which expires after 2015).

Do I need a new certificate?

Lee White

NewsArchive
08-28-2015, 11:49 AM
Lee,

>
> Do I need a new certificate?
>

No. Comodo supports SHA-2 for any Code-signing certificate issued after
September 22, 2014 which expires after 2015. Your certificate is valid from
December 28, 2014 - December 28, 2017.

Friedrich

NewsArchive
08-28-2015, 11:49 AM
By the way, I have checked the Comodo system and all code-signing
certificates issued AFTER September 8, 2014 are SHA-2 certificates by
default. There is still an option at the point of sale to allow customers
to elect to receive an SHA-1 certificate if they have a particular need of
an SHA-1 certificate. But by default, certificates are SHA-2 after
September 8, 2014.

Friedrich

NewsArchive
08-29-2015, 03:25 AM
Friedrich,

> No. Comodo supports SHA-2 for any Code-signing certificate issued after
> September 22, 2014 which expires after 2015. Your certificate is valid from
> December 28, 2014 - December 28, 2017.

Now I just need to figure out what's needed on my Win7/64 host to make
it work!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
08-29-2015, 03:29 AM
Lee,

> Now I just need to figure out what's needed on my Win7/64 host to make
> it work!<g>

I'll make a HOWTO available next week for SetupBuilder 10 ;-)

Friedrich

NewsArchive
08-29-2015, 03:38 AM
Friedrich,

> I'll make a HOWTO available next week for SetupBuilder 10 ;-)

So the stories ARE true; seven ate nine!!!

Lee White

NewsArchive
08-29-2015, 06:27 AM
Lee,

>> I'll make a HOWTO available next week for SetupBuilder 10 ;-)
>
> So the stories ARE true; seven ate nine!!!

<G> Yes :-)

Friedrich

NewsArchive
08-31-2015, 02:02 AM
Hi Friedrich,

> But don't panic. The upcoming SetupBuilder 10 Developer Edition can dual
> SHA-1/SHA-2 code-sign your application files and the setup.exe for
you :-)
> More info to come soon.

When can we expect SetupBuilder 10?

Best regards,
Jeffrey

NewsArchive
09-01-2015, 01:50 AM
Hi Friedrich,

> As you probably know, Microsoft published a security advisory on
> "Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate
> Program". The policy takes effect after January 1, 2016 and requires CAs to
> migrate to the stronger SHA-2 hashing algorithm.

This whole thing sounds like a recipe for mass insanity;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-01-2015, 01:50 AM
Arnor,

> This whole thing sounds like a recipe for mass insanity;)

Microsoft and the NSA together - what exactly would you expect?!<g>

Lee White

NewsArchive
09-01-2015, 01:51 AM
Hi Lee,

> Microsoft and the NSA together - what exactly would you expect?!<g>

Point taken!<g> Now where did I leave my padded room and the straight
jacket...

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-01-2015, 02:02 AM
Hi Jeffrey,

>
> When can we expect SetupBuilder 10?
>

It is coming very soon! A recent Windows 10 update broke a new important
Win10 feature. Still working on it...

Friedrich

NewsArchive
09-14-2015, 10:09 AM
Hi Friedrich -

It is time for us to buy a new certificate. Our current one expires in
a month.

Will your new how-to include anything that I know before purchasing
it, or should I just refer to Jane's document?

Also, do you have an ETA on the how-to?

Thank you.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
09-14-2015, 11:04 AM
Hi Jeff,

> It is time for us to buy a new certificate. Our current one expires in
> a month.
>
> Will your new how-to include anything that I know before purchasing
> it, or should I just refer to Jane's document?
>
> Also, do you have an ETA on the how-to?

The "HowTo" will be for the 'SHA-1', 'SHA-2' and 'Dual SHA1/SHA-2'
code-signing process. It will be available a few days after the release of
SetupBuilder 10 (I hope by the end of this week).

All new Comodo code-signing certificates are SHA-2 compliant. You can refer
to Jane's document or this quick-and-dirty one:

http://www.lindersoft.com/forums/showthread.php?46841

Friedrich

NewsArchive
09-14-2015, 11:04 AM
Thanks a whole lot. I appreciate you very much.

You too, Jane.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
09-14-2015, 11:05 AM
Do you think that if I change the phone number for the domain before
initiating this, it would cause any red flags?

The phone number that we're using is not mine. That number could be
answered by any number of individuals, so it might be simpler to
temporarily change it. Just don't want to cause any other snags.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
09-14-2015, 11:05 AM
:-) !!!

Friedrich

NewsArchive
09-14-2015, 11:06 AM
Jeff,

> Do you think that if I change the phone number for the domain before
> initiating this, it would cause any red flags?
>
> The phone number that we're using is not mine. That number could be
> answered by any number of individuals, so it might be simpler to
> temporarily change it. Just don't want to cause any other snags.

I would change it.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
09-15-2015, 01:58 AM
Hi Friedrich,

> The "HowTo" will be for the 'SHA-1', 'SHA-2' and 'Dual SHA1/SHA-2'
> code-signing process. It will be available a few days after the
> release of SetupBuilder 10 (I hope by the end of this week). All new
> Comodo code-signing certificates are SHA-2

I don't know if my certifiate is SHA-1 as well as SHA-2 - how can I
tell? If it is, should I be codesigning for both (don't know how?) or
just leave it with SHA-2?

Sorry teacher, haven't been paying attention lately:(

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-15-2015, 01:59 AM
Jeff,

> Do you think that if I change the phone number for the domain before
> initiating this, it would cause any red flags?
>
> The phone number that we're using is not mine. That number could be
> answered by any number of individuals, so it might be simpler to
> temporarily change it. Just don't want to cause any other snags.

No, it would not cause a red flag. In order to perform call back
verification, the company name and phone number used for the certificate
have to match (e.g. in the following links)

http://www.numberway.com/,
http://world.192.com/

For WebTrusts, phone number verification and callback verification to the
verified number is mandatory.

Friedrich

NewsArchive
09-15-2015, 02:00 AM
Hi Arnor,

> I don't know if my certifiate is SHA-1 as well as SHA-2 - how can I
> tell? If it is, should I be codesigning for both (don't know how?)
> or just leave it with SHA-2?
>
> Sorry teacher, haven't been paying attention lately:(

<G> ;-)

When did you request your certificate and what's the expiration date?

If you code-sign for SHA-2 only, then the signature will be invalid for
older Windows operating systems. The solution is to dual SHA-1/SHA-2
code-sign the files.

To do this, just set the #pragma CODESIGN_SHA to "12". See attached
screenshots.

BTW, and please see the following important SetupBuilder 10 information:

http://www.lindersoft.com/forums/showthread.php?46755-pragma-CODESIGN_SHA-quot-12-quot-and-Timestamp-URL&p=84559#post84559

Friedrich

NewsArchive
09-16-2015, 02:07 AM
Hi Friedrich,

> Hi Arnor,
>
>> I don't know if my certifiate is SHA-1 as well as SHA-2 - how can I
>> tell? If it is, should I be codesigning for both (don't know how?)
>> or just leave it with SHA-2?
>>
>> Sorry teacher, haven't been paying attention lately:(
> <G> ;-)
>
> When did you request your certificate and what's the expiration date?

Got it last month I think or early this month.

> If you code-sign for SHA-2 only, then the signature will be invalid for
> older Windows operating systems. The solution is to dual SHA-1/SHA-2
> code-sign the files.
>
> To do this, just set the #pragma CODESIGN_SHA to "12". See attached
> screenshots.

Ah, now I remember! Thanks!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-16-2015, 02:08 AM
Hi Friedrich,

So this doesn't work in SB 8.5, only in SB 10, you write.
We need to ship an update of our applications very soon to our customers.
Do you have any idea when SB 10 will be released? So that we can
codesign with #pragma CODESIGN_SHA to "12".

Best regards,
Jeffrey

NewsArchive
09-16-2015, 02:08 AM
Hi Arnor,

>> When did you request your certificate and what's the expiration date?
>
> Got it last month I think or early this month.

Then your certificate can handle SHA-1 and SHA-2 code-signing :-)

Friedrich

NewsArchive
09-16-2015, 02:08 AM
Hi Jeffrey,

> So this doesn't work in SB 8.5, only in SB 10, you write.
> We need to ship an update of our applications very soon to our customers.
> Do you have any idea when SB 10 will be released? So that we can codesign
> with #pragma CODESIGN_SHA to "12".

Yes and no <g>. SB 8.5 can handle dual SHA-1/SHA-2 code signing. But it
timestamps both signatures using a 3161 timestamp server. The problem is
that older Windows version can't read 3161 timestamps.

SB 10.0 can handle dual SHA-1/SHA-2 code signing using Microsoft
Authenticode compatible time stamp and RFC 3161 compliant trusted time stamp
servers to provide maximum backward compatibility.

This is how it works:
http://www.lindersoft.com/forums/showthread.php?46755-pragma-CODESIGN_SHA-quot-12-quot-and-Timestamp-URL&p=84559#post84559

SetupBuilder 10.0 is code and feature complete now. Still working on the
updated documentation and the new environment to auto compile and code-sign
the components with SHA-1/SHA-2 (Windows 10 Enterprise).

SetupBuilder 10.0 is scheduled to be available on Monday, September 21,
2015.

Friedrich

NewsArchive
09-16-2015, 05:19 AM
Thanks Friedrich!

Best regards,
Jeffrey

NewsArchive
09-22-2015, 01:49 AM
Hi Friedrich,

> SetupBuilder 10.0 is scheduled to be available on
> Monday, September 21, 2015.

Any news? Thanks.

Best regards,
Jeffrey

NewsArchive
09-22-2015, 08:17 AM
Hi Jeffrey,

>
> Any news? Thanks.
>

Chrome is giving us a hard time (new certificate is still not trusted).
Perhaps we have to re-compile all files with the old SHA-1. We're still
evaluating options...

Friedrich