Friedrich,

So I have my code signing certificat which I got back in the 31st of
august of 2014
it's been working fine to codesign with setupbuilder.
so what are the steps that I have to do to make it into a new sha2
certificate use or combined like you talk about?

Best Regards...

Roberto Renz

Roberto,

> So I have my code signing certificat which I got back in the 31st
> of august of 2014 it's been working fine to codesign with setupbuilder.
> so what are the steps that I have to do to make it into a new sha2
> certificate use or combined like you talk about?

You need one of the latest SignTool.exe from Microsoft (at least
6.2.9200.16384) and then use #pragma and set CODESIGN_SHA to 2 for SHA-2
signing (see pragma help).

Does this help?

Friedrich

Ok I tried that..

I have version 10.0.10240.16384 version of signtool
added the #pragma at the start of my script.

compiled and got

Performing pre-checks...
#pragma loaded: CODESIGN_SHA
#pragma CODESIGN_SHA = 2
OK
Script format version detected: 7.0.2600
Adding Digital Certificate (Preprocessor)...
SIGNTOOL: D:\develop\tdeo3\tdeo.exe
SHA2: 1
Compiler error GEN1053: Code signing process failed. Error Code: 1
Script(s) processed


Does that mean my certificate is not adequate or do I have to order
something else?

Best Regards..

Roberto Renz

Roberto,

> Does that mean my certificate is not adequate or do I have to order
> something else?

Did you specify a SHA-2 compliant timestamp server? Are you using a
signtool.exe version (and the required components) that support SHA-2?

Friedrich

Hi Friedrich,
please can you clarify what you mean by "required components" of signtool.exe ?
thanks
Darko

Darko,

> please can you clarify what you mean by "required components" of
> signtool.exe ?

Authenticode needs the CAPICOM component. Sometimes this component is
missing (or not registered) on Windows machines and signtool.exe fails.

Similar to this:
http://www.lindersoft.com/forums/showthread.php?45948-SignTool-does-not-work-with-Windows-10&p=82260&highlight=capicom_v2102#post82260

The component can be downloaded here:
http://www.lindersoft.com/forums/showthread.php?42237-SetupBuilder-Error-Code&p=75570#post75570

Friedrich

Friedrich,

ok..

I guess I didn't know about the new stamp server change..
I've always used the comodo one, changing it to the globalsign.com did
the trick.

thank.. you I now what t sha256 signature..

Robi

Friedrich,

what would be the pragma to dual sign sha-1 and sha-2 signatures?

Best Regards...

Roberto Renz

Found it...

#pragma CODESIGN_SHA = "12"

That should do it..

Roberto Renz

Roberto,

#pragma CODESIGN_SHA = "12" is correct.

But please see this:

http://www.lindersoft.com/forums/showthread.php?46755-pragma-CODESIGN_SHA-quot-12-quot-and-Timestamp-URL&p=84559#post84559

Friedrich

Interesting..

if it doesn't work with SetupBuilder 8.5 how come I got a dual stamp on
mine then?

Best Regards...

Roberto Renz

Roberto,

> Interesting..
>
> if it doesn't work with SetupBuilder 8.5 how come I got a dual stamp on
> mine then?
>

It works, but not as expected <g> Check the Digest algorithm for your SHA-1
timestamp (see attached screenshot) and it does not report SHA-1, right?
Only SetupBuilder 10 can sign using Microsoft Authenticode compatible time
stamp and RFC 3161 compliant trusted time stamp servers.

In your case, both signatures have a SHA-2 time stamp and older Windows
operation systems do not support this. The SHA-1 signature needs a SHA-1
time stamp.

Friedrich

Hi Friedrich,

you tell me?

it seems like it is sha1 like you say compilied in 8.5 but using windows
10 with Signtool versión 10.0.10240.16384

Anything I'm missing?

Best Regards...

Roberto Renz

Hi Roberto,

And what does your SHA-2 time stamp report? If it does not display "sha256"
then you have time stamped with a SHA-1 timestamp server. Does it report
sha256 (= SHA-2) in your case?

Friedrich

BTW, your screenshot is NOT from the timestamp !!!!!

Friedrich

Please check the correct dialog (see my screenshots). Select your timestamp
in "Countersignatures", then press "Details" and select the "Advanced" tab!

Friedrich

Friedrich,

Right,

both have Sha1

so does that mean that will be fixed in SB 10?

is my certificate ok to sign for sha2?

Best Regards...

Roberto Renz

Roberto,

> Right,
>
> both have Sha1
>
> so does that mean that will be fixed in SB 10?
>
> is my certificate ok to sign for sha2?

It's not really a "fix", it's an "enhancement" in SetupBuilder 10 <g>.

Yes, your code-signing certificate added a "sha256" signature. That means
it is already SHA-2 compliant.

In SetupBuilder 10, just add the following new #pragma and the compiler will
time stamp your SHA-1 signature using a Microsoft Authenticode compatible
time stamp.

#pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

Friedrich

Hi Friedrich,
as I am just trying to better understand the whole process, I am playing with
signtool.exe command line and with this line:

signtool sign /t http://timestamp.globalsign.com/?signature=sha2 /fd SHA256 /f
myCert.pfx /p myPassword myExe.exe

I can get fully sha256 as you described (yes, counterpart signature also shows sha256)

No problem with sha1 also, but in no way I can add sha256 to the first one
sha1 signature, as command line with /as require /tr switch forcing to rfc3161
timeserver.
There my signtool.exe crash with "has stopped working" message and myExe
remains sha256 but without timestamp.

I believe you are also working with the same signtool.exe switches or there is
some SB10 secret part also?

Thanks for any additional information
Darko

Hi Darko,

> I believe you are also working with the same signtool.exe switches or
> there
> is some SB10 secret part also?

I had similar crashes with the 6.2.9200.16384 tool. Switched to
6.3.9600.16384 and 10.0.10240.16384. No more crashes.

Friedrich

Friedrich,

so you're telling me that for now I cant time stamp with an external
server as sha-2?

I tried just doing a sha-2 and my internal one says it's sha256 but the
server says it's sha-1 also.

Will setupbuilder 10 fix this?

Best Regards...

Roberto Renz

Roberto,

> so you're telling me that for now I cant time stamp with an external
> server as sha-2?
>
> I tried just doing a sha-2 and my internal one says it's sha256 but the
> server says it's sha-1 also.
>
> Will setupbuilder 10 fix this?

Of course, you can time stamp with an external SHA-2 compliant server in
SB8.5!

There is nothing to "fix" from the SetupBuilder side ;-) If you are seeing
a SHA-1 time stamp then you did not use a true SHA-2 timestamp server. Just
switch to a trusted SHA-2 timestamp server and you are done. Not all
timestamp servers support SHA-2.

Friedrich

Correction: I think all timestamp servers are updated now. For example, the
following server worked fine in the past to dual code-sign with a SHA-2
timestamp (it was smart enough to detect the signing method), but it does
not work any longer.

http://timestamp.geotrust.com/tsa

So with SetupBuilder 8.5, you'll always get a SHA-1 time stamp for your dual
SHA-1/SHA-2 signature.

In other words, you need the advanced SHA-2 support in the soon coming
SetupBuilder 10 to get a SHA-2 time stamp.

Friedrich

Roberto,

And don't forget to set CODESIGN_TSTYPE pragma to 1.

Friedrich

Roberto,

Because pictures say more than words, please see the attached screenshots.
SHA-2 signed with a SHA-2 time stamp.

Friedrich

ahh ok...
the timestamp server has a parameter on the URL..

got it.. trying that... and yes that did it...

I guess I never saw anything either in these posts or the docs that I
had to change the URL and parameter..

Best Regards...

Roberto Renz

Hi Roberto,

> ahh ok...
> the timestamp server has a parameter on the URL..
>
> got it.. trying that... and yes that did it...
>
> I guess I never saw anything either in these posts or the docs that I
> had to change the URL and parameter..

Quite a few timestamp servers received an update this week. The pre-defined
servers in SetupBuilder are just a small collection of available timestamp
servers. You need a true SHA-2 timestamp server to retrieve a SHA-2 time
stamp for your signature.

In SetupBuilder 10, I have added a few more servers...

http://www.lindersoft.com/forums/showthread.php?46755-pragma-CODESIGN_SHA-quot-12-quot-and-Timestamp-URL&p=84559#post84559

Friedrich

Friedrich..

thank you.. that will help the weary like us..

so much information, so little time.

Best Regards...

Roberto Renz