PDA

View Full Version : SHA-1 code signing works ! Whats wrong ?



NewsArchive
01-05-2016, 04:24 AM
Happy new year ! ;-)

I code signed a fresh compiled Exe of mine with my SHA-1 certificate
from Comodo (using signtool).. and it works, it produced a valid
digital signature which I can see in the rightclick properties of the
Exe.
Whats wrong ? Why all this trouble here before ?
Regards, Thomas

NewsArchive
01-05-2016, 04:24 AM
> Happy new year ! ;-)

The same to you Thomas!


> I code signed a fresh compiled Exe of mine with my SHA-1 certificate
> from Comodo (using signtool).. and it works, it produced a valid
> digital signature which I can see in the rightclick properties of the
> Exe.
> Whats wrong ? Why all this trouble here before ?

Microsoft has deprecated SHA-1 certificates.

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

This means that any modern OS will no longer trust files codesigned by one
of them after January 17th according to this update:

https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/


The bottom line is, if you want your files to be able to be installed
without question then you need to ask for your SHA-1 certificate to be
replaced with a SHA-2 one, or just go ahead and renew your certificate (the
new one will be SHA-2).


Then it seems the best course of action is to use SetupBuilder for "dual"
code signing (SHA-1 + SHA-2). This will allow your files to be installed
on the modern OS's and also on Windows XP (if you still support that).


With dual code signing, when you look on the Digital Signatures tab of the
properties of the signed file, you will see two entries (sha1 and sha256).

Does that help?

Charles




--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.solidsoftware.com - ImageEx and RichReport templates!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
01-05-2016, 04:24 AM
I think, Thomas, that the question was not whether you could sign with
SHA-1. But rather whether Windows would reject the signature if you tried
to, for example, run an installation program or something else that needs to
be signed.

But read here of Friedrich's "January Surprise":
http://www.lindersoft.com/forums/showthread.php?47034-SHA-1-times-tamped-in-2016

The latest I've seen is this Microsoft page from last week:
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

jf

NewsArchive
01-05-2016, 04:25 AM
> Whats wrong ? Why all this trouble here before ?

To add some more complexity to the SHA-1 discussions, the loss of trust will
only happen with SHA-1 signed executables (without a timestamp or a
timestamp after 1/1/2016) and with a "Mark of the Web" attribute. A "Mark
of the Web" attribute means that the executable is flagged as downloaded
from an untrusted source (e.g. the Internet). Code signature status
behavior might depend on specific Policy settings and Trusted Zones, and
SmartScreen data may be used to allow certificates with good reputation.

And the date (1/1/2016) was not set in stone. Rumors are that MS will make
web updates available "soon".

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
01-05-2016, 04:26 AM
OMG..

Friedrich !
Assumed we are speaking only of Win 7 and above..
1. I don't need a dual signing ?
2. Am I totally on the right side with a SHA-2 (or 256)/timestamped
certificate ?
3. If I buy now a new or renew before end of my existing - will I get the
proper SHA-2 (or 256) Comodo certificate from your shop ?
4. In a multi Dll App my Exe and all my Dll's will be code
signed/timestamped - so the process is created with a valid certification.
What happens if I must use not code signed Dll from third parties which I
have no influence on ?
TIA Thomas

NewsArchive
01-05-2016, 04:26 AM
Thomas,

> Assumed we are speaking only of Win 7 and above..
> 1. I don't need a dual signing ?

If you have to support Windows 7 (with no service pack) then you also need
"dual" SHA-1/SHA-2 code-signatures. Windows 7 SP1 and later support SHA-2
without any problem.

> 2. Am I totally on the right side with a SHA-2 (or 256)/timestamped
> certificate ?

On Windows 7 SP1 and later, yes.

> 3. If I buy now a new or renew before end of my existing - will I get the
> proper SHA-2 (or 256) Comodo certificate from your shop ?

Yes. You'll receive a SHA-2 based code-signing certificate from Comodo.

> 4. In a multi Dll App my Exe and all my Dll's will be code
> signed/timestamped - so the process is created with a valid certification.
> What happens if I must use not code signed Dll from third parties which I
> have no influence on ?

Sooner or later, anti-virus and anti-spyware might move your DLLs into
quarantine. I would contact the vendor of the DLLs and ask for code-signed
components.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
01-05-2016, 04:27 AM
Hi Friedrich,
>> Assumed we are speaking only of Win 7 and above..
>> 1. I don't need a dual signing ?
>
> If you have to support Windows 7 (with no service pack) then you also need
> "dual" SHA-1/SHA-2 code-signatures. Windows 7 SP1 and later support SHA-2
> without any problem.
>
>> 2. Am I totally on the right side with a SHA-2 (or 256)/timestamped
>> certificate ?
>
> On Windows 7 SP1 and later, yes.
>
>> 3. If I buy now a new or renew before end of my existing - will I get the
>> proper SHA-2 (or 256) Comodo certificate from your shop ?
>
> Yes. You'll receive a SHA-2 based code-signing certificate from Comodo.
thanks for clarification. I'll go the SHA-2 route.

>> 4. In a multi Dll App my Exe and all my Dll's will be code
>> signed/timestamped - so the process is created with a valid certification.
>> What happens if I must use not code signed Dll from third parties which I
>> have no influence on ?
>
> Sooner or later, anti-virus and anti-spyware might move your DLLs into
> quarantine. I would contact the vendor of the DLLs and ask for code-signed
> components.
I'm glad that you let me ask.. <ROFL> What about lspack32/lsunpa32 ? ;-)
What about Freeimage or zlib or zlibwapi or libssl (and co) ..
What about CLAnet, CLAWE.. (but with Capesoft this would be our smallest
prob)
And I see so much old code signed Dll's on which the right click shows "The
digital signature is valid" but the ending time passed years ago.. without
any problems..

We are manoeuvering ourselfs into a non practical state.. :(
Ciao, Thomas

NewsArchive
01-05-2016, 04:30 AM
Thomas Glomb,

> And I see so much old code signed Dll's on which the right click shows "The
> digital signature is valid" but the ending time passed years ago.. without
> any problems..

Right click your EXE and go to properties, Digital Signatures tab.
Does it look similar to the attached Image1.png?

Now open the "Details" of that signature and then "View Certificate",
Details tab. Does it look similar to the attached Image2.png?

As I understand it if it looks like Image2.png you already have an
up-to-date certificate that's good to go.

> We are manoeuvering ourselfs into a non practical state.. :(

Signatures never "expire" once they're attached and time-stamped even
if the certificate used expires. Will older DLL's cause headaches
moving forward, sure, but their signatures will still be valid.

I bought my current certificate in December 2014 but it will remain
valid through December 2017 and supports both sha1 and sha2. In other
words don't spend money on a new certificate if your current one is
capable of still being used for sha2 signing.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

NewsArchive
01-05-2016, 04:31 AM
Maybe that means Patch Tuesday.

>
>And the date (1/1/2016) was not set in stone. Rumors are that MS will make
>web updates available "soon".

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
01-05-2016, 04:32 AM
Hi Friedrich,

> Sooner or later, anti-virus and anti-spyware might move your DLLs into
> quarantine. I would contact the vendor of the DLLs and ask for code-signed
> components.

As of Clarion 10.0.11897 (Aug. 13th) the Clarion DLLs look to be SHA1
only. Don't know about later builds:



I'm hoping that the more recent builds have SHA1/SHA2...

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
01-05-2016, 04:32 AM
Hi Arnor,

> I'm hoping that the more recent builds have SHA1/SHA2...
>
> Best regards,
>

C10 build 11975 is still SHA1 only......

/Poul

NewsArchive
01-05-2016, 05:33 AM
Hi Thomas,

> I'm glad that you let me ask.. <ROFL> What about lspack32/lsunpa32 ? ;-)

I think we discontinued "LSPack for Clarion" in July 2000 (nearly 16 years
ago) <g>.

> What about Freeimage or zlib or zlibwapi or libssl (and co) ..
> What about CLAnet, CLAWE.. (but with Capesoft this would be our smallest
> prob)
> And I see so much old code signed Dll's on which the right click shows
> "The
> digital signature is valid" but the ending time passed years ago.. without
> any problems..
>
> We are manoeuvering ourselfs into a non practical state.. :(

Yes, I agree. For some components it will be impossible to get a
code-signature directly from the vendor. And for quite a few "unsigned"
components it is illegal to add your own signature because doing so would
"manipulate" the binary contents (not allowed).

BTW, if a component is code-signed and correctly timestamped (before
1/1/2016) then the signature is valid until 1/1/2020.

Friedrich

NewsArchive
01-06-2016, 03:34 AM
Hi Poul,

> C10 build 11975 is still SHA1 only......

Thanks for letting us know. I checked the installer for 10.0.12026 and
it's also just SHA-1

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
01-06-2016, 03:36 AM
Hi Friedrich,

> And for quite a few "unsigned" components it is illegal to add your
own signature because doing so would "manipulate" the binary contents
(not allowed).

Same would hold for re-basing I guess ???

Thanks,
Simon

NewsArchive
01-06-2016, 07:28 AM
Hi Simon,

> > And for quite a few "unsigned" components it is illegal to add your
> own signature because doing so would "manipulate" the binary contents (not
> allowed).
>
> Same would hold for re-basing I guess ???

It depends on the license agreement. But in general, yes.

Friedrich

NewsArchive
01-13-2016, 02:44 AM
Thomas,

Here we go. Windows 10 installed a security patch this morning. I have
downloaded my test executable, code-signed with my old SHA-1 certificate on
January 05, 2016.

And here are the results.... ;-) See attached screenshots.

For code signing certificates, Windows stopped accepting SHA-1 signed code
and SHA-1 certificates that are time stamped after 1 January 2016 amd have a
"Mark of the Web" attribute. A "Mark of the Web" attribute means that the
executable is flagged as downloaded from an untrusted source (e.g. the
Internet). Code signature status behavior might depend on specific Policy
settings and Trusted Zones, and SmartScreen data may be used to allow
certificates with good reputation.

SHA-1 signed code time stamped by an RFC 3161 Time Stamp Authority before 1
January 2016 will be accepted until such time when Microsoft decides SHA-1
is vulnerable to pre-image attack.

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner


"Thomas Glomb" <tg@aobit.de> wrote in message
news:96ii8bh7su2hr53c47rsea4uu1bgra23fs@4ax.com...
> Happy new year ! ;-)
>
> I code signed a fresh compiled Exe of mine with my SHA-1 certificate
> from Comodo (using signtool).. and it works, it produced a valid
> digital signature which I can see in the rightclick properties of the
> Exe.
> Whats wrong ? Why all this trouble here before ?
> Regards, Thomas
>
>