PDA

View Full Version : Using the new SHA-2 certificates on an old XP development machine - possible?



NewsArchive
12-16-2015, 04:46 AM
Hello Friedrich,

still one question.....

One of me projects is in Clarion 6.3 on a XP-SP3-machine. I think, it has SetupBuilder 7.

Due to the end of SHA-1 support I want to re-compile that project and send the
new binaries to teh customers.

Just for my understanding: can I use this new certificate onmy old box or do I
have to move the entire environment to a newer OS?


Thanks in advance,
Wolfgang Orth
www.odata.de

NewsArchive
12-16-2015, 04:47 AM
Hi Wolfgang,

> still one question.....
>
> One of me projects is in Clarion 6.3 on a XP-SP3-machine. I think, it has
> SetupBuilder 7.
>
> Due to the end of SHA-1 support I want to re-compile that project and send
> the new binaries to teh customers.
>
> Just for my understanding: can I use this new certificate onmy old box or
> do I have to move the entire environment to a newer OS?

On your old XP-SP3 machine you can use this SHA-2 certificate to handle
SHA-1 code-signing for "legacy" Windows operating systems. But please note
that effective January 1, 2016, Windows 7 and higher and Windows Server will
no longer trust any code that is signed with a SHA-1 (only) code signing
certificate and that contains a timestamp value greater than January 1,
2016.

You can not handle SHA-2 or "dual" SHA-1/SHA-2 from your XP SP3 machine.

Friedrich

NewsArchive
12-16-2015, 04:48 AM
>You can not handle SHA-2 or "dual" SHA-1/SHA-2 from your XP SP3 machine.

That does mean, I have to move my entire dev environment to a new machine???????

Wolfgang Orth

NewsArchive
12-16-2015, 04:48 AM
Hi Wolfgang,

>>You can not handle SHA-2 or "dual" SHA-1/SHA-2 from your XP SP3 machine.
>
> That does mean, I have to move my entire dev environment to a new
> machine???????

If you need "dual" SHA-1/SHA-2 signatures then you should move the
code-signing part to Windows 10 (or Windows 8.1; but *not* recommended). If
you only need SHA-2 code-signing then Windows 7 SP1 might work. XP-SP3 is
not possible.

As far as I understand, you need dual SHA-1/SHA-2 code-signing to support
legacy (XP, Vista, Windows 7) and modern Windows operating systems. So your
only realistic option is to use Windows 10.

Friedrich

NewsArchive
12-16-2015, 04:50 AM
Ich dazu mal was in der dt-Gruppe geschrieben.

Regards,
Wolfgang Orth
www.odata.de

NewsArchive
12-16-2015, 04:50 AM
> Ich dazu mal was in der dt-Gruppe geschrieben.

Okay !

Friedrich

NewsArchive
12-17-2015, 05:40 AM
Hi Friedrich,

> If you need "dual" SHA-1/SHA-2 signatures then you should move the
> code-signing part to Windows 10 (or Windows 8.1; but *not* recommended).

I'm doing dual code signing on Win 7 Ultimate build 7601. But I'm using
the signing tools from Windows 8.1 SDK. Seems to work fine.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-17-2015, 05:41 AM
Hi Arnor,

>> If you need "dual" SHA-1/SHA-2 signatures then you should move the
>> code-signing part to Windows 10 (or Windows 8.1; but *not* recommended).
>
> I'm doing dual code signing on Win 7 Ultimate build 7601. But I'm using
> the signing tools from Windows 8.1 SDK. Seems to work fine.

Yes, it worked fine here on Windows 7 SP1, but stopped working end of
September (I tried the Win 8.1 and Win 10 SDK). Just checked it: from
September 2015 - today we have received exactly 167 technical support
requests for dual code-signing on Windows 7. Microsoft told me that it is
not safe to use Windows 7 for dual code-signing.

After that I switched my build environment to Windows 10.

Friedrich

NewsArchive
12-18-2015, 04:35 AM
Hi Friedrich,

> Yes, it worked fine here on Windows 7 SP1, but stopped working end of
> September (I tried the Win 8.1 and Win 10 SDK). Just checked it: from
> September 2015 - today we have received exactly 167 technical support
> requests for dual code-signing on Windows 7. Microsoft told me that it
> is not safe to use Windows 7 for dual code-signing. After that I
> switched my build environment to Windows 10.

Weird. It works fine here... Maybe because it's 32bit VM (I still have
apps in C6) ? Don't know but I have built installs this week without
any issues. The code signing seems to work fine... Oops, it might
have something to do with not updating windows for quite a while on that
VM;) Well, shoot!

This certificate BS is getting old and tiresome.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-30-2015, 04:05 AM
Hi Friedrich,

Thanks for assisting me to get the SHA2 certificate from Comodo.

When I try and sign it using the extracted files, I get:

NOTE: To Support .PFX code-signing, please use SignTool.exe in IDE -> Tools
| Options... | File.....
Compiler Error GEN1053: Code signing process failed. Error code: -1

Do I need an updated SignTool?

This is a very helpful doc: http://www.lindersoft.com/CodeSign.pdf

Although the link to get the signtools seems to be for Windows Server
2008/win 7. I searched the MS site for Windows 10 SDK, but there does not
seem to be the same thing. Do you have a pointer to grab an updated
signtools.exe?

BTW - according to comodo, the installer signed with SHA2 will work on a
client's windows xp sp3 machine. Is that your experience?

Thanks very much.

Geoff

NewsArchive
12-30-2015, 09:20 AM
Hi Geoff,

> Thanks for assisting me to get the SHA2 certificate from Comodo.
>
> When I try and sign it using the extracted files, I get:
>
> NOTE: To Support .PFX code-signing, please use SignTool.exe in IDE ->
> Tools | Options... | File.....
> Compiler Error GEN1053: Code signing process failed. Error code: -1
>
> Do I need an updated SignTool?

You have to specify the path to your SigtTool.exe in the SetupBuilder 10 IDE
(Tools | Options... | File.....). You need at least SignTool version
6.2.9200.16384.

> This is a very helpful doc: http://www.lindersoft.com/CodeSign.pdf
>
> Although the link to get the signtools seems to be for Windows Server
> 2008/win 7. I searched the MS site for Windows 10 SDK, but there does not
> seem to be the same thing. Do you have a pointer to grab an updated
> signtools.exe?

Unfortunately, Microsoft makes it very hard to get access to SignTool.exe.

> BTW - according to comodo, the installer signed with SHA2 will work on a
> client's windows xp sp3 machine. Is that your experience?

No. I have never seen a XP system that accepted SHA-2.

Friedrich

NewsArchive
12-30-2015, 09:21 AM
Hi Friedrich,

I've tried a couple of different SDKs and the latest I can get is 6.1.7600.
I'm trying not to get too frustrated ;)

This looks like a stand alone EXE. Is it possible you can upload your
version for download?

Thanks

NewsArchive
12-30-2015, 09:22 AM
> BTW - according to comodo, the installer signed with SHA2 will work on a
> client's windows xp sp3 machine. Is that your experience?

BTW, see attached screenshot. This is a SHA-2 code-signed executable on
Windows XP SP3. The signature is NOT valid.

To support Windows 7 (with no service pack) and earlier operating systems
you need a "dual" SHA-1/SHA-2 signature.

Friedrich

NewsArchive
12-31-2015, 06:10 AM
Hi Geoff,

> I've tried a couple of different SDKs and the latest I can get is
> 6.1.7600. I'm trying not to get too frustrated ;)
>
> This looks like a stand alone EXE. Is it possible you can upload your
> version for download?

Unfortunately, no no no no, sorry. Microsoft lawyers are watching. It is
strictly forbidden to redistribute or share SignTool.exe (a small 300 KB
file). That's why you can't find any link on the Internet. M$ has no mercy
in this case.

Friedrich

NewsArchive
12-31-2015, 06:10 AM
Hi Geoff,

> I've tried a couple of different SDKs and the latest I can get is
> 6.1.7600. I'm trying not to get too frustrated ;)
>
> This looks like a stand alone EXE. Is it possible you can upload your
> version for download?

I downloaded the Windows 8.1 SDK kit and installed it on Win7 and it
worked great. I think it has 6.2 or 6.3 in it.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
01-01-2016, 01:08 PM
Hi Geoff,

> I've tried a couple of different SDKs and the latest I can get is
> 6.1.7600. I'm trying not to get too frustrated ;)

This is the one I'm using:

https://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

That is the one for Windows 8.1. By default it goes into:

c:\Program Files\Windows Kits\8.1\bin\x86\

and there you will find signtool.exe. This one is version 6.3.9600.17298

For windows 10 SDK: https://dev.windows.com/en-us/downloads/windows-10-sdk

Happy New Year:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC