View Full Version : SHA-1 times tamped in 2016
NewsArchive
01-03-2016, 05:46 AM
Happy New Year!
The official SHA-1 statement is/was: "For code signing certificates, Windows
will stop accepting SHA-1 signed code and SHA1 certificates that are time
stamped after 1 January 2016. SHA-1 signed code time stamped by an RFC 3161
Time Stamp Authority before 1 January 2016 will be accepted until such time
when Microsoft decides SHA-1 is vulnerable to pre-image attack."
Just for fun, I have used my old SHA-1 code-signing certificate and code
signed and time stamped a setup.exe on January 02, 2016. Result: it's still
accepted on my Win10 and Win7 test machines.
Let's see what will happen next week.
Friedrich
NewsArchive
01-03-2016, 05:47 AM
I love your idea of "fun" !!! <g>
jf
NewsArchive
01-03-2016, 05:47 AM
>
> I love your idea of "fun" !!! <g>
>
<VBG> ;-)
Friedrich
NewsArchive
01-04-2016, 12:07 PM
Update: To add some more complexity, the loss of trust will only happen with
SHA-1 signed executables (without a timestamp or a timestamp after 1/1/2016)
and with a "Mark of the Web" attribute. A "Mark of the Web" attribute means
that the executable is flagged as downloaded from an untrusted source (e.g.
the Internet). Code signature status behavior might depend on specific
Policy settings and Trusted Zones, and SmartScreen data may be used to allow
certificates with good reputation.
Welcome to 2016 <g>
BTW, I can't confirm the above behaviour right now. Perhaps my "old" SHA-1
certificate trust level is too hight.
Friedrich
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)
--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
NewsArchive
01-05-2016, 03:59 AM
Hi Friedrich,
> Update: To add some more complexity, the loss of trust will only happen with
> SHA-1 signed executables (without a timestamp or a timestamp after 1/1/2016)
> and with a "Mark of the Web" attribute. A "Mark of the Web" attribute means
Is that the same as the "Unblock" button does on the file properties
which shows if the file was downloaded?
> Welcome to 2016 <g>
>
> BTW, I can't confirm the above behaviour right now. Perhaps my "old" SHA-1
> certificate trust level is too hight.
As far as I can see everything works exactly the same now on my 8.1 dev
machine as it did last month and last year for SHA1 code signed
installers<g>
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
NewsArchive
01-05-2016, 03:59 AM
> As far as I can see everything works exactly the same now on my 8.1 dev
> machine as it did last month and last year for SHA1 code signed
> installers<g>
Just wait for it<g>...
https://www.youtube.com/watch?v=bW7Op86ox9g
:-)
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.solidsoftware.com - ImageEx and RichReport templates!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.