-- SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing

It has been some time since we've had the "Tips & Tricks" column. Many
people have asked me for tips on how to do this and that, so I figured I
would share some with you here. The first in this new series of tips and
tricks explains how you can handle dual SHA-1/SHA-2 (SHA-256) code-signing
with SetupBuilder.

Background: Organizations need to develop a migration plan for SHA-1 code
signing certificates that expire after January 1, 2016. To support older
Windows operating systems (e.g. Windows XP, Vista, early Windows 7 versions)
and modern Windows systems (Windows 8.x and later) after 1 January 2016, you
have to dual SHA-1/SHA-2 code-sign all your application files and setups
using Microsoft Authenticode compatible time stamp and RFC 3161 compliant
trusted time stamp servers (SHA-2 compatible code-signing certificate is
required).

SHA-2 (SHA-256) was created by the National Institute of Standards and
Technology (NIST) to replace SHA-1 after mathematical weaknesses were
discovered in the algorithm. For the past few years, network security
experts have warned that certificates using the SHA-1 hashing algorithm will
soon be in danger of being hacked due to consistent advancements in
computing technology.

-- How to handle dual code-signing with SetupBuilder 10?

1. Set the "TimeStamp URL" to a SHA-2 compliant timestamp server.

For example: http://timestamp.globalsign.com/?signature=sha2

2. In the Script Editor, set the Secure Hash Algorithm to "dual".

#pragma CODESIGN_SHA = "12"

3. In the Script Editor, set the timestamp server for the SHA-1 signature to
a Microsoft Authenticode compatible timestamp server.

#pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

Note: You need Microsoft SignTool.exe version 6.2.9200.16384 or later to
support dual SHA-1/SHA-2 code-signing.

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Saved!

Thanks!

--

Russ Eggen
RADFusion International, LLC

Very nice!
Thank you!

Best regards,
Jeffrey

Hi Friedrich,

> It has been some time since we've had the "Tips & Tricks" column. Many

Would you mind if I put this up in the Icetips Articles? This is
invaluable information!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

>> It has been some time since we've had the "Tips & Tricks" column.
>
> Would you mind if I put this up in the Icetips Articles? This is
> invaluable information!

Absolutely no problem! Please feel free to put this up in the Icetips
Articles!

Friedrich

Hi Friedrich,

> Absolutely no problem! Please feel free to put this up in the Icetips
> Articles! Friedrich

Thank you!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

> Absolutely no problem! Please feel free to put this up in the Icetips
> Articles! Friedrich

http://www.icetips.com/articles.php?articlecategory=29
http://www.icetips.com/showarticle.php?articleid=1566
http://www.icetips.com/showarticle.php?articleid=1567

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

> #pragma CODESIGN_TSSHA1URL ="http://timestamp.comodoca.com/authenticode"

This line is used for the dual coding of the setup.exe?

I started with:

#pragma CODESIGN_SHA = "12" without the #pragma CODESIGN_TSSHA1URL
="http://timestamp.comodoca.com/authenticode"

And all my dll's and EXE's are dual code-signet after having changed to
a proper timeserver.

Best regards

Edvard Korsbæk

Hi Edvard,

>
> This line is used for the dual coding of the setup.exe?
>

It's used for both the "setup.exe" and "#code-sign application..." compiler
directive.

Friedrich

Edvard,

Just tried CodeSigning using the#pragma CODESIGN_TSSHA1URL
="http://timestamp.comodoca.com/authenticode" line and CodeSigning failed.

Used your method and CodeSigning worked and Dual-signed.

Thanks for your suggestion, though I would like to know why the other
method does not work.

Bob

Bob,

> Thanks for your suggestion, though I would like to know why the other
> method does not work.

Don't do this !!!

When you are using #pragma CODESIGN_SHA = "12" without the #pragma
CODESIGN_TSSHA1URL and only a SHA-2 timestamp server then you have a SHA-1
and SHA-2 signature but both are SHA-2 time stamped. But you need a SHA-1
timestamp for your SHA-1 signature and a SHA-2 timestamp for your SHA-2
signature.

If dual code-signing with a Microsoft Authenticode compatible time stamp and
a RFC 3161 compliant trusted time stamp servers does NOT work then 1.) one
of the servers is not accessible from your system -and/or- 2.) your SignTool
utility does not support it -and/or- 3.) your Windows operating system does
not support it.

Friedrich

Friedrich,

I have:
1) SignTool.exe to 10.0.10240.16384
2) Windows 10 Pro 64
3) Changed script as displayed in attached image.

The script now CodeSigns without error. Is this the correct method?

Thanks,

Bob

Hi Bob,

> I have:
> 1) SignTool.exe to 10.0.10240.16384
> 2) Windows 10 Pro 64
> 3) Changed script as displayed in attached image.
>
> The script now CodeSigns without error. Is this the correct method?

No, it's not the correct method. But the SignTool.exe version and the OS
are perfect.

Please use the SHA-2 timestamp server in "General Information -> Digital
Signature" -and/or (optional!)- in the "#code-sign application..." compiler
directive. Then use #pragma CODESIGN_TSSHA1URL to set the SHA-1 server link
to the SHA-1 timestamp server.

Friedrich

Hi Bob,

> 1) SignTool.exe to 10.0.10240.16384
> 2) Windows 10 Pro 64
> 3) Changed script as displayed in attached image.
>
> The script now CodeSigns without error. Is this the correct method?
>

What I have is:

1. In the project "General Information | Digital SIgnature" I set the
Time Stamp URL to http://timestamp.globalsign.com/?signature=sha2 -
see: http://screencast.com/t/UovJgZd8LDg
2. Then in the script, at the top I have:

#pragma CODESIGN_SHA = "12"
#pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

As far as I can tell my exe is code signed correctly.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Friedrich,

It used to be SO simple. Sign? Yes or No! Ah, the good old days!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

Freidrich and Arnor,

Got it. Thanks,

Bob