PDA

View Full Version : New certificate - not sure if it's working correctly.



NewsArchive
09-09-2015, 02:37 AM
Hi Friedrich,

I just got a new Comodo certificate and extracted the .pfx file, set SB
to use signtool.exe and changed my #code-sign accordingly. No errors
(once I picked the right time server) but what I get when I do the code
signing is:

Adding Digital Certificate (Preprocessor)...
SIGNTOOL: C:\Products\BuildAutomator\Latest\Program Files\Icetips
Creative\Build Automator\BuildAutomator.exe
SHA1: 0
Code signed successfully: C:\Products\BuildAutomator\Latest\Program
Files\Icetips Creative\Build Automator\BuildAutomator.exe

I'm concerned about this SHA1: 0. I don't know what it means. The
certificate I ordered was SHA2, so I hope that's what I got - Signature
algorithm is sha256RSA and the signature hash algorithm is sha256 in the
"View" certificate in IE 11.

So - is everything correct here?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-09-2015, 02:39 AM
Hi Friedrich

On 9/8/2015 4:16 PM, Arnor Baldvinsson wrote:
> I'm concerned about this SHA1: 0. I don't know what it means. The
> certificate I ordered was SHA2, so I hope that's what I got - Signature
> algorithm is sha256RSA and the signature hash algorithm is sha256 in the
> "View" certificate in IE 11.
>
> So - is everything correct here?

When I run Signtool verify, I get this:

SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.

Number of errors: 1

Same on all the binaries I just signed - and everything else I tried...
Hmm...

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-09-2015, 02:39 AM
Hi Arnor,

> When I run Signtool verify, I get this:
>
> SignTool Error: A certificate chain processed, but terminated in a root
> certificate which is not trusted by the trust provider.
>
> Number of errors: 1
>
> Same on all the binaries I just signed - and everything else I tried...
> Hmm...

If you run the "signtool.exe verify myfile.exe" command, signtool will use
the Windows Driver Verification Policy. In order for your file to "verify"
properly you need to include the /pa switch, so that SignTool uses the
Default Authentication Verification Policy.

Friedrich

NewsArchive
09-09-2015, 02:40 AM
Hi Arnor,

"SHA1: 0 Code signed successfully" means that you have code-signed via SHA-1
(you did not instruct the compiler to code-sign via SHA-2) and the
Authenticode process did not report any error.

Friedrich

NewsArchive
09-09-2015, 12:25 PM
Hi Friedrich,

On 9/8/2015 11:30 PM, Friedrich Linder wrote:
> "SHA1: 0 Code signed successfully" means that you have code-signed via SHA-1
> (you did not instruct the compiler to code-sign via SHA-2) and the

How do you do that? I couldn't find any setting for specifying it...
See http://screencast.com/t/RuLT2sL8Ps

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-09-2015, 12:25 PM
Hi Arnor,

> How do you do that? I couldn't find any setting for specifying it...

You need the latest signtool.exe from Microsoft (at least 6.2.9200.16384)
and then use #pragma in your script and set CODESIGN_SHA to 2 for SHA-2
code-signing (please see #pragma help).

Does this help?

Friedrich

NewsArchive
09-09-2015, 12:26 PM
Hi Friedrich,

> If you run the "signtool.exe verify myfile.exe" command, signtool will
> use the Windows Driver Verification Policy. In order for your file to
> "verify" properly you need to include the /pa switch, so that SignTool
> uses the Default Authentication Verification Policy. Friedrich

Got it! Works:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-09-2015, 12:27 PM
Hi Friedrich,

> You need the latest signtool.exe from Microsoft (at least
> 6.2.9200.16384) and then use #pragma in your script and set
> CODESIGN_SHA to 2 for SHA-2 code-signing (please see #pragma help).
> Does this help? Friedrich

OK, mine is 6.1.x so I'll grab the latest one and give it another go:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-09-2015, 12:28 PM
Hi Friedrich,

> You need the latest signtool.exe from Microsoft (at least
> 6.2.9200.16384) and then use #pragma in your script and set
> CODESIGN_SHA to 2 for SHA-2 code-signing (please see #pragma help).
> Does this help? Friedrich

Got the latest (6.3.x), set the pragma, changed the time server (I used
verisign yesterday and it worked, but not today;), compiled and got
SHA2: 0 - codesigning successful on all files:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-09-2015, 12:28 PM
Hi Arnor,
where from you got this one? From some newer SDK or you have some useful link?
I didn't find any good
Many thanks
Darko

NewsArchive
09-10-2015, 02:12 AM
Hi Arnor,

> Got the latest (6.3.x), set the pragma, changed the time server (I used
> verisign yesterday and it worked, but not today;), compiled and got SHA2:
> 0 - codesigning successful on all files:)

Perfect! Thanks for the update :-)

BTW, if you are using SHA-2 and timestamping, make sure that you are using a
"real" SHA-2 compliant timestamp server. Otherwise, you'll get a SHA-1
timestamp.

I'll post a "HowTo" (SHA-2 and dual SHA-1/SHA-2) soon...

Friedrich

NewsArchive
09-10-2015, 02:13 AM
Quick note: a correctly SHA-2 code-signed and timestamped file signature
looks like this (see attached screenshot).

Friedrich

NewsArchive
09-10-2015, 02:14 AM
Arnor,

> Got the latest (6.3.x)

I am using SignTool Version 10.0 (July 2015).

Friedrich

NewsArchive
09-10-2015, 02:15 AM
Hi Darko,

> where from you got this one? From some newer SDK or you have some useful link?
> I didn't find any good

https://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

It was updated on April 29, 2015 so it's pretty fresh:) Note that it
downloads a 1MB stub that does the rest. I wish I'd found a zip/msi
download, but I didn't. Also note that it does NOT go into the
"C:\Program Files\Microsoft SDKs" folder but into "c:\Program
Files\Windows Kits\8.1\" which is much more logical... NOT<g> HTH:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-10-2015, 02:16 AM
Hi Darko,

> download, but I didn't. Also note that it does NOT go into the
> "C:\Program Files\Microsoft SDKs" folder but into "c:\Program
> Files\Windows

Should have said: "Also note that it does NOT _install_ into the..."

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-10-2015, 02:16 AM
thanks Arnor, done!

Darko

NewsArchive
09-10-2015, 10:46 AM
Oh good. Thanks.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
09-10-2015, 10:46 AM
Dear Arnor, Friedrich and all good souls here!

Did that

copied from D:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe
over my present signtool.exe.

Now it does not work anymore at all...

Best regards

Edvard

NewsArchive
09-10-2015, 10:48 AM
Hi Edvard

I think the signtool.exe is windows version/ 32-64bit dependant.

Try using the one from
D:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe


JohnG


>copied from D:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe
>over my present signtool.exe.
>
>Now it does not work anymore at all...

NewsArchive
09-11-2015, 02:13 AM
Hi Friedrich,

> I am using SignTool Version 10.0 (July 2015). Friedrich
Yes, I meant to say the latest 8.x SDK as I'm on 8. I know the 10 SDK
works on 8 but why rattle the giant's cage?<g>

Windows 10 SDK: https://dev.windows.com/en-us/downloads

Information: https://dev.windows.com/en-us/downloads/windows-10-sdk

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
09-11-2015, 02:13 AM
The reason was a bit funny.

In the folder, there is a file named 'signtool.exe.manifest'

If it's there, the proces fails.

If not, it runs as expected.

@Friedrich - Perhaps an important info?

Best regards

Edvard Korsbæk

NewsArchive
09-12-2015, 02:37 AM
Hi Edvard,

> The reason was a bit funny.
>
> In the folder, there is a file named 'signtool.exe.manifest'
>
> If it's there, the proces fails.
>
> If not, it runs as expected.
>
> @Friedrich - Perhaps an important info?

This is a typical "side-by-side" configuration error. The external "dummy"
manifest file for signtool requests specific dependency assemblies
("0.0.0.0" in this case). Don't use an external manifest file for
Authenticode tools.

Friedrich