PDA

View Full Version : Need Help - SetupBuilder 10 certificate reputation (screenshots attached)



NewsArchive
09-15-2015, 02:19 AM
All,

I need your help.

As you probably know, files signed with new code signing certificates need
to build reputation, you'll have to earn trust. Reputation is generated and
assigned to digital certificates as well as specific files. But digital
certificates allow data to be aggregated and assigned to a single
certificate rather than many individual programs.

We are using a new SHA-2 compliant code-signing certificate to code-sign all
new SetupBuilder 10 files. To make sure that SetupBuilder redistributables
(e.g. wupdate.exe, wucheck.exe, etc.) and system service files are trusted,
we have to build a reputation for our new certificate.

Please download and run the following small tool on as many machines as
possible. See attached screenshots.

http://www.lindersoft.com/projects/sb10_reputation.exe

Thank you for your help!

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
09-15-2015, 02:43 AM
Done!

Peter Hermansen

NewsArchive
09-15-2015, 02:43 AM
Thank you !!!

Friedrich

NewsArchive
09-15-2015, 02:44 AM
"Not Found"

Darko

NewsArchive
09-15-2015, 02:45 AM
http://www.lindersoft.com/projects/sb10_reputation.exe

HTTP 404 error

That’s odd... Microsoft Edge can’t find this page

Simon Kemp

NewsArchive
09-15-2015, 02:46 AM
By the way, just to show what happens when you compile the SAME project but
this time code-sign with the OLD certificate (already trusted by millions of
downloads and redistributable runs worldwide).

Microsoft Windows immediately displays the 'RUN' option.

Friedrich

NewsArchive
09-15-2015, 02:46 AM
Darko,

> "Not Found"

Could you please try it again? Too many simultaneous downloads....

Thanks,
Friedrich

NewsArchive
09-15-2015, 02:47 AM
> HTTP 404 error
>
> That’s odd... Microsoft Edge can’t find this page

Could you please try it again? Oops. Too many simultaneous downloads....

Thanks,
Friedrich

NewsArchive
09-15-2015, 02:50 AM
Done at my work laptop and at home.

Kzendra

--
It ain't the fall that kills you
It's the sudden stop at the bottom.

NewsArchive
09-15-2015, 02:55 AM
>
> Done at my work laptop and at home.
>

Perfect, thank you!!!

Friedrich

NewsArchive
09-15-2015, 03:07 AM
Sure and done!

Darko

NewsArchive
09-15-2015, 03:23 AM
>
> Sure and done!
>

Thank you, Darko !!!

Friedrich

NewsArchive
09-15-2015, 03:24 AM
On older Microsoft Internet Explorer versions, you see this (see attached
screenshots).

It is VERY IMPORTANT to build a reputation for new code-signing certificates
with Internet Explorer and/or Microsoft Edge.

Friedrich

NewsArchive
09-15-2015, 03:28 AM
done

--
Guennadi

NewsArchive
09-15-2015, 03:29 AM
>
> done
>

Thank you, Guennadi!

Friedrich

NewsArchive
09-15-2015, 06:39 AM
done

--
--
Leonid Chudakov
Cool Tools and Clarion Examples at
http://www.klarisoft.com

NewsArchive
09-15-2015, 06:39 AM
Done.

But what happens when I start to use SHA-2 to sign my programs via
Setupbuilder ? Will it be almost impossible for my customers to find the Run
button untill I have a good Reputation, or will i benefit from the
reputation you are earning ?

Best regards
Viggo Poulsen
Vipilon

NewsArchive
09-15-2015, 06:39 AM
Hi Viggo,

> Done.

Thank you!

> But what happens when I start to use SHA-2 to sign my programs via
> Setupbuilder ? Will it be almost impossible for my customers to find the
> Run button untill I have a good Reputation, or will i benefit from the
> reputation you are earning ?

If you already have earned a reputation for your current certificate and you
switch from SHA-1 to SHA-2 or dual SHA-1/SHA-2 signing then you are still
using the same certificate. But if you have a SHA-1 certificate that
expires after January 1, 2016 and you ask Comodo to replace it with a new
SHA-2 certificate (the same expiration date) then you'll have again zero
reputation. In this case it's better to order a fresh 3-year certificate
for $200 to be on the safe side for the next three years <g>.

Friedrich

NewsArchive
09-15-2015, 06:40 AM
>
> done
>

Thank you, Leonid !!!

Friedrich

NewsArchive
09-15-2015, 06:41 AM
You must have a good reputation....

I tried on my win 7 host, a win 8 VM, and two Win10 VMs.... No warnings.
How come I always miss out on the fun ???

jf

NewsArchive
09-15-2015, 06:42 AM
Hi Jane,

> You must have a good reputation....
>
> I tried on my win 7 host, a win 8 VM, and two Win10 VMs.... No warnings.
> How come I always miss out on the fun ???

WOW! COOL!!! :-)

I think you came too late to the party <g> Seems the reputation level
changed a few minutes ago. When I download/run now there is no warning.

Friedrich

NewsArchive
09-15-2015, 06:43 AM
Story of my life. Always too late with too little. Sigh <g>

jf

NewsArchive
09-15-2015, 06:43 AM
>
> Story of my life. Always too late with too little. Sigh <g>
>

<ROFL> ;-)

Friedrich

NewsArchive
09-15-2015, 09:49 AM
Done!

--

Russ Eggen
RADFusion International, LLC

NewsArchive
09-15-2015, 09:49 AM
>
> Done!
>

Thank you, Russ.

Friedrich

NewsArchive
09-15-2015, 09:49 AM
Done.
5 machines.

Johan de Klerk

NewsArchive
09-15-2015, 09:50 AM
> Done.
> 5 machines.

Thank you, Johan !!!

Friedrich

NewsArchive
09-15-2015, 09:50 AM
Friedrich,

> I need your help.

How do I know I can trust you... I mean, really, HOW?!<g>

You SAY you're Friedrich Linder and you SAY you wrote this program but
we've never actually met so what do I base my trust on?


Seems I overslept today... dang it!

Glad you got things handled now where is MY copy of SB10?!?!?!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

NewsArchive
09-15-2015, 09:53 AM
Friedrich,

Getting the following message when try to access using given link:

"The requested URL /projects/sb10_reputation.exe was not found on this
server."

Barton

Barton Whisler
Prosoft Inc.
Tampa, Florida

NewsArchive
09-15-2015, 11:01 AM
Lee,

>> I need your help.
>
> How do I know I can trust you... I mean, really, HOW?!<g>
>
> You SAY you're Friedrich Linder and you SAY you wrote this program but
> we've never actually met so what do I base my trust on?

Hey, Comodo checked my background and found it satisfactory. You trust
Comodo, Comodo trusts me. So you can trust me, too. A equals B equals C.
A therefore equals C <g>

> Seems I overslept today... dang it!
>
> Glad you got things handled now where is MY copy of SB10?!?!?!<g>

"Coming soon (TM)" <bg> ;-)

Friedrich

NewsArchive
09-15-2015, 11:02 AM
Done!

Stamos

NewsArchive
09-15-2015, 11:50 AM
>
> Done!
>

Thank you, Stamos!

Friedrich

NewsArchive
09-16-2015, 02:00 AM
> then you'll have again zero
> reputation. In this case it's better to order a fresh 3-year certificate
> for $200 to be on the safe side for the next three years <g>.

So, either way your reputation is trashed?

I just updated less than a year ago... so each time I get new
certificates I start over? I've got 2 years left I think... but it's
sha-1 according to the resulting exe.

--
Ray Rippey
VMT Software

NewsArchive
09-16-2015, 02:01 AM
Hi Friedrich,

> expires after January 1, 2016 and you ask Comodo to replace it with a new
> SHA-2 certificate (the same expiration date) then you'll have again zero
> reputation. In this case it's better to order a fresh 3-year certificate
> for $200 to be on the safe side for the next three years <g>.

What if you have a SHA-2 or dual certificate and get a new one in 2016
or 2017 or 2018 - there is no renewal in this context. It seems to me
that this is getting rather ridiculous if you need to have people
download binaries with your certificate to build "reputation" Next step
is probably to plug the downloading IP in there so the same IP
downloading or running more than once will be ignored;)

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

NewsArchive
09-16-2015, 02:02 AM
Ray,

> So, either way your reputation is trashed?
>
> I just updated less than a year ago... so each time I get new certificates
> I start over? I've got 2 years left I think... but it's sha-1 according to
> the resulting exe.

Yes, new standard Authenticode Code Signing Certificates have zero
reputation. Authenticode Certificates issued by a CA that is a member of
the Windows Root Certificate Program (e.g. Comodo) can establish reputation.
As the software or its publisher gains a better reputation, the likelihood
of a warning diminishes. Reputation based on signed software is based on
the associated code signing certificate and the reputation of the CA that
issued the code signing certificate.

If you have still two years left then I think you already have a SHA-2
compliant certificate. On and after September 8, 2014 Comodo issued SHA-2
certificates by default. Did you use the SHA-2 or "dual" SHA-1/SHA-2 method
to code-sign your file(s)? The standard code-signing process will always
use SHA-1.

Friedrich

NewsArchive
09-16-2015, 02:03 AM
Hi Arnor,

> What if you have a SHA-2 or dual certificate and get a new one in 2016 or
> 2017 or 2018 - there is no renewal in this context. It seems to me that
> this is getting rather ridiculous if you need to have people download
> binaries with your certificate to build "reputation" Next step is
> probably to plug the downloading IP in there so the same IP downloading or
> running more than once will be ignored;)

In fact, nothing changed in the last 17 years :-) New standard Authenticode
Code Signing Certificates always have ZERO reputation.

But in March 2009, Microsoft introduced an Application Reputation engine.
It evaluates whether the software has been previously encountered by
checking a large database of code that has been encountered and collected
from telemetry capabilities on Windows machines. In short, it looks at
whether a software vendor has been blacklisted or whitelisted.

So this "reputation reset" thing is not a new problem <g>.

Friedrich

NewsArchive
09-16-2015, 02:05 AM
Downloaded just now via Chrome then Chrome said "You gonna die!" but I
kept/ran it anyway.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
09-16-2015, 05:19 AM
Jeff,

> Downloaded just now via Chrome then Chrome said "You gonna die!" but I
> kept/ran it anyway.

Thank you!!! We need more downloads via Chrome to earn trust for the new
certificate from Chrome users.

Friedrich

NewsArchive
09-16-2015, 07:52 AM
I ran it under FireFox and Edge.

--

Russ Eggen
RADFusion International, LLC

NewsArchive
09-16-2015, 07:52 AM
>
> I ran it under FireFox and Edge.
>

Thank you, Russ!

Friedrich

NewsArchive
09-16-2015, 07:57 AM
Made it on one of my my Win 8 machines with FF, will do with Chrome onVista
tonight, to give you an extra lift. ;-)

We actually did not fool the system, didn't we. And it was so easy....

Wolfgang

Regards,
Wolfgang Orth
www.odata.de

NewsArchive
09-16-2015, 07:58 AM
> Made it on one of my my Win 8 machines with FF, will do with Chrome
> onVista tonight, to give you an extra lift. ;-)
>
> We actually did not fool the system, didn't we. And it was so easy....

Thank you, Wolfgang !!! :-)

This is an incredibly stupid moronic idiotic system and we just pimp our
"new" reputation a little bit <g> It simply does not make any sense to
reset the reputation level when a "renewed" certificate is issued (same
developer, same company, same address, same everything). Argh!!!

Friedrich

NewsArchive
09-16-2015, 09:48 AM
Hi Friedrich,

> But in March 2009, Microsoft introduced an Application Reputation engine.
> It evaluates whether the software has been previously encountered by
> checking a large database of code that has been encountered and collected
> from telemetry capabilities on Windows machines. In short, it looks at
> whether a software vendor has been blacklisted or whitelisted.

OK. But then why does it reset with a new certificate to the same
vendor? Just curious - it seems to me that the more I learn about code
signing, the less I trust it...

Best regards,


--
Arnor Baldvinsson - Icetips Alta LLC

NewsArchive
09-16-2015, 11:10 AM
Hi Arnor,

> OK. But then why does it reset with a new certificate to the same vendor?
> Just curious - it seems to me that the more I learn about
> code signing, the less I trust it...

Only Microsoft knows the answer <g> The WebTrusts (Comodo, Thawte, etc.) do
not have control over this.

Friedrich

NewsArchive
09-17-2015, 02:01 AM
> Please download and run the following small tool on as many machines as
> possible (see attached screenshots):
> http://www.lindersoft.com/projects/sb10_reputation.exe

Chrome, Win10, ESET Endpoint AV

Chrome just asked me if I'd like to discard or keep your .EXE file.
Works fine.

Marko