PDA

View Full Version : Dual vs. SHA2 code signing



NewsArchive
12-08-2016, 03:32 AM
Hi Friedrich,

My client is using a dual code signing certificate and he noticed that
recently he is getting the "unknown publisher" warning in Windows 10.

So we did a test using my Build Automator install. I have one install
with dual code signing and one with my latest certificate which is SHA2
only.

The results: http://www.screencast.com/t/a57gF4yaqJB

The dual code signed one was fine, but the SHA2 only is showing the
"dangerous app" warning! This is on Windows 10 Home 64bit with all the
latest updates (checked as of yesterday afternoon)

I have smartscreen turned ON on my machine, but for the dual code signed
install it does not show up and I get the same UAC screen as for the
dual code signed.

Where is all this going??? Can we expect to get all installs
intercepted by SmartScreen every time a new build goes out or what can
we do?

Does my client need a SHA2 only certificate to code sign his installs?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-08-2016, 03:34 AM
Does the same thing happen if you extract the setup from a zip file
instead of downloading directly?

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
12-08-2016, 09:16 AM
Hi Arnor,

> My client is using a dual code signing certificate and he noticed that
> recently he is getting the "unknown publisher" warning in Windows 10.
>
> So we did a test using my Build Automator install. I have one install
> with dual code signing and one with my latest certificate which is SHA2
> only.

It's very well possible that this is a "reputation" thing. Did you
code-sign the "dual" signed and the "SHA-2 only" signed app with the *SAME*
(your latest) certificate? You said "...and one with my latest
certificate...", that's why I am asking.

Friedrich

NewsArchive
12-09-2016, 07:09 AM
Hi Jeff,

> Does the same thing happen if you extract the setup from a zip file
> instead of downloading directly?

Good question and I don't have the answer. Realized that I was running
this from my hard drive while my client downloaded. Will zip up the
SHA2 one and ask him to re-test it.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-09-2016, 07:10 AM
Hi Friedrich,

> It's very well possible that this is a "reputation" thing. Did you
> code-sign the "dual" signed and the "SHA-2 only" signed app with the *SAME*
> (your latest) certificate? You said "...and one with my latest
> certificate...", that's why I am asking.

Sorry, wasn't clear. No, the dual signed was from February with
certificate from 2015. The SHA2 is with a month old certificate.

When *I* run those installs from my local drive they both behave the same.

But my client's software even when (apparently) successfully code
signed, is showing "Unknown developer" when he runs his install. I've
instructed him to check the properties of the installer exe, but have
not heard back.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-09-2016, 07:10 AM
Hi Arnor,

> But my client's software even when (apparently) successfully code signed,
> is showing "Unknown developer" when he runs his install.
> I've instructed him to check the properties of the installer exe,
> but have not heard back.

Aha, okay! In this case it is a root certificate issue (he did not check
for updates for some time) or the root certificate update failed.

Friedrich

NewsArchive
12-09-2016, 07:10 AM
Hi Friedrich,

> My client is using a dual code signing certificate and he noticed that
> recently he is getting the "unknown publisher" warning in Windows 10.

This get's more bizarre!

My client checked the properties on his install. Both SHA1 and SHA256
signatures are present. When he goes into the Details it says "Digital
Signature Information" and below "This digital signature is not valid."
If he goes to view the certificate it says "The digital signature of the
object did not verify" The issuer and valid from/to dates are all there
and all correct.

On my installs I get "This digital signature is OK" on both SHA1 and
SHA256 signatures.

What is going on?

Note: This started happening for him about two months ago. Prior to
that there was no problem. Neither the certificate nor the SB script
has changed. The certificate is valid from January 2016 until January
2019. Code signing was done on December 2nd, 2016.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-09-2016, 07:11 AM
Arnor,

I wonder if his root certificates are messed up or if someone has
tampered with the file after it was signed.

If it were me I'd get a zip of his copy of the file and do a byte
level compare against YOUR copy.

But Friedrich will probably have something better to suggest!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

NewsArchive
12-09-2016, 07:11 AM
Lee,

>
> But Friedrich will probably have something better to suggest!<g>
>

IMO, it's a typical root certificate "NOT-up-to-date" issue. I ran into
this myself some weeks ago. I had a virtual machine active for two weeks
and web update service was disabled (I needed a specific Windows system
state). Suddenly, it began to display the "Unknown Publisher" warning on
quite a few code-signed .EXE files. I enabled the web update service and 10
minutes later it worked fine again.

Arnor said: "Note: This started happening for him about two months ago.
Prior to that there was no problem." Similar or same scenario <g>

Friedrich

NewsArchive
12-09-2016, 07:12 AM
Hi Arnor,

> What is going on?

I think I know what is going on.

From time to time, Windows requests a trusted root certificate update (it
needs this to detect revoked certificates, etc.). I think your customer did
not check for updates for a long time (or something went wrong during his
last root certificate update). In other words, this machine is not
up-to-date via Windows Update, especially the Root Certificates part.

This has absolutely nothing to do with the signed .EXE or the certificate.

To solve this issue, he needs the Root Certificate updates. It's standard
Windows behavior for 13+ years now. If the root certificates are not
up-to-date, Windows might display "Unknown Publisher" (to protect the user).
If the machine is not up-to-date, it is impossible to detect code signed
with a revoked certificate.

http://www.lindersoft.com/forums/showthread.php?39575-Code-Signing-Publisher-will-not-appear-on-Open-File-screen-for-windows-7&p=71178#post71178

Does this help?

BTW, as far as I know, Root Certificate Updates are *not* optional on
Windows 10.

Friedrich

NewsArchive
12-11-2016, 11:08 AM
Hi Friedrich,

> last root certificate update). In other words, this machine is not
> up-to-date via Windows Update, especially the Root Certificates part.

I've forwarded this to him. I'm pretty sure he said this machine is up
to date, but I may have misunderstood.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-11-2016, 11:09 AM
Hi Lee,

> I wonder if his root certificates are messed up or if someone has
> tampered with the file after it was signed.

My bet would be the root certificate. He builds the installs and he was
checking a new install.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-11-2016, 11:09 AM
Hi Friedrich,

> From time to time, Windows requests a trusted root certificate update (it
> needs this to detect revoked certificates, etc.). I think your customer did
> not check for updates for a long time (or something went wrong during his
> last root certificate update). In other words, this machine is not
> up-to-date via Windows Update, especially the Root Certificates part.

Is there a way to check that or force W10 to update the root certificate?

The best he knows this machine should be updating automatically.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-11-2016, 11:09 AM
Hi Arnor,

> Is there a way to check that or force W10 to update the root certificate?
>
> The best he knows this machine should be updating automatically.

On Wednesday, November 16, 2016, Microsoft released a planned update to the
Microsoft Trusted Root Certificate Program. Perhaps this has failed on his
machine?

http://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx

Friedrich

NewsArchive
12-13-2016, 03:16 AM
Hi Friedrich,

> On Wednesday, November 16, 2016, Microsoft released a planned update to the
> Microsoft Trusted Root Certificate Program. Perhaps this has failed on his
> machine?

Would this cause a problem with VERIFYING or with SIGNING?

We have tried the installer on various machines and the results are
always the same. The installer exe file properties say the signature is
not valid. When run, the installer says the publisher is unknown.

The install IS code signed but it is not recognized as having valid
signature on any of the computers we have tried. My dev computer is
100% up to date and so is my server and they both say the signature is
not valid.

When I right click on the installer and go to properties, then Digital
Signatures, select either the SHA1 or SHA256 from the signature list and
go to "Details" they both show "This digital signature is not valid" If
I click on "View the certificate" I get "The digital signature of the
object did not verify."

The date range of the certificate is 1/12/2016 to 1/12/2019 so it is
definitely valid.

My client is still hunting down if he has actually code signed
successfully with this certificate before. I'm starting to wonder if
the certificate is bad. I've been over his SB script which looks 100%
correct for dual signing.

Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-13-2016, 03:18 AM
Hi Friedrich,

> My client is still hunting down if he has actually code signed
> successfully with this certificate before.

This certificate was used to codesign installs back in February and
again in May. The installers from the May batch all show that the
signature is OK. The installers from now all show the signature being
invalid.

See: http://screencast.com/t/SmDKBjnkpHq

Left is the screenshot from the May install, right is the screenshot
from the December install.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-13-2016, 12:14 PM
Hi Arnor,

> Left is the screenshot from the May install, right is the screenshot from
> the December install.

hmmm, perhaps the certifier has processed a revocation request and revoked
the certificate? Can you send me a link to an .exe?

Friedrich

NewsArchive
12-14-2016, 03:30 AM
Hi Friedrich,

> hmmm, perhaps the certifier has processed a revocation request and revoked
> the certificate? Can you send me a link to an .exe?

I ran SignTool verification on the install. After listing 3 items in
the certificate chain, it showed:

SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signature Index: 1

Question is how the heck can he fix this???

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-14-2016, 03:30 AM
Arnor,

Are you using the /pa switch with signtool?

Try

signtool verify /pa /v /all MyFine.exe

Run it first against one of your own known-good signed objects so you can
verify the command.

jf

NewsArchive
12-14-2016, 09:58 AM
Hi Arnor,

> Question is how the heck can he fix this???

okay, here we go <g>.

First of all, it has absolutely *nothing* to do with his certificate. The
certificate is perfectly valid and the code-signing process worked as
expected.

The SHA-1 and SHA-2 signatures of his setup.exe are *not* valid (see
"bad1.png" and "bad2.png"). But I installed his product on a VM and the
generated uninstall.exe has good SHA-1 and SHA-2 signatures (see
"good1.png" and "good2.png").

Hmmm, so what does it mean <g>?

1. The certificate is valid and not revoked.

2. The code-signing process worked fine. Otherwise, uninstall.exe would not
have valid signatures.

3. "Something" changed the binary contents of the setup.exe *AFTER* the
code-signing process.

The code-sign verification in Windows detected a tampered, hacked,
incomplete or virus infected file.

EXAMPLE: my code-signed SetupBuilder install image ("original.png") has
valid signatures. Then I changed ONE byte and see what happens
("onebytechanged.png") -- "The digital signature is not valid". As a
result, the Publisher is "Unknown" (see "unknown.png").

IMO, "something" changed the binary contents of the setup.exe 'stub' (after
the compilation / code-signing process). Nothing changed the .exe archive
(which holds the script code and all the files to be installed in a
compressed format) because the Integrity Check of SetupBuilder does not
complain. Is he virus free?

Friedrich

NewsArchive
12-14-2016, 09:59 AM
And wait a minute. Very interesting.

See the signing time of his "setup.exe" and the "uninstall.exe"!

setup.exe is signed 5:08:14 PM (SHA-1) and 5:08:21 PM (SHA-2). The
uninstall.exe is signed 8:08:11 AM (both SHA-1 and SHA-2). Please remember:
both .exe files are code-signed in the same SB compilation process.

But eight (8) hours after the original setup.exe/uninstall.exe code-signing
process, "something" re-signed the original setup.exe. He has to find out
what causes this!

Friedrich

NewsArchive
12-14-2016, 12:58 PM
Hi Friedrich,

> setup.exe is signed 5:08:14 PM (SHA-1) and 5:08:21 PM (SHA-2). The
> uninstall.exe is signed 8:08:11 AM (both SHA-1 and SHA-2). Please remember:
> both .exe files are code-signed in the same SB compilation process.
>
> But eight (8) hours after the original setup.exe/uninstall.exe code-signing
> process, "something" re-signed the original setup.exe. He has to find out
> what causes this!

I've forwarded all this.

9 hours - 08:08:11 - 17:08:14 (I live by 24 hour clocks;)

What I find interesting is that the "later" time stamp is almost to the
second 8 hours after the "earlier" one. That would be one heck of a
coincidence... Is is possible that some kind of time zone issue is
messing this up? With the uninstall at 08:11 and the main exe at 08:14
and 08:21 it is in the right minute/second order...

This is rapidly moving up on my weirdometer scale!

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-14-2016, 01:30 PM
Hi Arnor,

>
> 9 hours - 08:08:11 - 17:08:14 (I live by 24 hour clocks;)
>

Of course, you are right <g>. It's 9 hours :-)

> What I find interesting is that the "later" time stamp is almost to the
> second 8 hours after the "earlier" one. That would be one heck of a
> coincidence... Is is possible that some kind of time zone issue is
> messing this up? With the uninstall at 08:11 and the main exe at 08:14
> and 08:21 it is in the right minute/second order...

And again, you are right. Too much coffee or not enough <g>. It's very
well possible this is a time zone issue. And not related to the "real"
problem.

The real problem is that "something" manipulated the executable stub (first
~180KB, not the archive part ~180KB - 17.8MB) *after* the code-signing
process (it changed one or more bytes). This "broke" the signatures. In
other words, the binary contents of the setup.exe signed by the certificate
does not equal the binary contents of the setup.exe that we have now. The
uninstall signatures (included in the main setup.exe) is okay and nothing
changed.

You can reproduce this: create a simple setup.exe and let SB code-sign it.
Now use a HexEdit program to change one byte. This will give you the same
"This digital signature is not valid" and the "Unknown" publisher warning.

Friedrich

NewsArchive
12-15-2016, 03:58 AM
Hi Friedrich,

> The real problem is that "something" manipulated the executable stub (first
> ~180KB, not the archive part ~180KB - 17.8MB) *after* the code-signing
> process (it changed one or more bytes). This "broke" the signatures. In
> other words, the binary contents of the setup.exe signed by the certificate
> does not equal the binary contents of the setup.exe that we have now. The
> uninstall signatures (included in the main setup.exe) is okay and nothing
> changed.

I have forwarded this, thank you so much for all the information!

I did a byte comparison on the 2016 and 2017 versions, as well as other
installers for 2016 and couple of my own installers. There are some
bytes that change in the stub, but there is nothing that jumps out in
this installer. It's mostly all the same bytes that differ from one
installer to the other, at least as far as I compared.

Wouldn't the integrity check catch it if bytes had changed?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-15-2016, 05:51 AM
Hi Arnor,

> I have forwarded this, thank you so much for all the information!
>
> I did a byte comparison on the 2016 and 2017 versions, as well as other
> installers for 2016 and couple of my own installers. There are some bytes
> that change in the stub, but there is nothing that jumps out in this
> installer. It's mostly all the same bytes that differ from one installer
> to the other, at least as far as I compared.

The binary contents of an executable changes with each and every compile and
code-signing process. You'll never get the same binary contents twice
(because the stub time stamping and code-signing actions always generate
different code).

In your specific case, the checksum/hash of the original setup.exe and the
setup.exe that has the invalid code-signature does NOT match! Because the
SB integrity check does not abort the install, the binary contents of the
archive is 100% correct. But the stub part changed after the code-signing
process and Windows Authenticode technology detected this modification.

>
> Wouldn't the integrity check catch it if bytes had changed?
>

The internal "integrity check" can only detect post-compile changes in the
"archive" part of the setup.exe (which holds the runtime, the encrypted
script logic, the libraries, and files to be installed). That's the
location directly after the installer stub.

The SB linker automatically adds a default stub program to the setup
application. It is responsible for loading data into memory and performing
all of the initialization stuff. The stub contains the statement like "This
application is not supported on this version of Windows".

To detect changes in the stub, you can use the "Verify Trust
[Code-signature]" script function.

http://www.lindersoft.com/forums/showthread.php?43842-Corrupt-download-Insert-Disk-One&p=78775#post78775

http://www.lindersoft.com/forums/showthread.php?35474-New-security-function-in-SetupBuilder-7-7&p=64115#post64115

http://www.lindersoft.com/forums/showthread.php?47084-An-alternative-guide-to-code-signing&p=86152#post86152

http://www.lindersoft.com/forums/showthread.php?47084-An-alternative-guide-to-code-signing&p=86153#post86153

Does this help?

Friedrich

NewsArchive
12-15-2016, 12:04 PM
Hi Friedrich,

> In your specific case, the checksum/hash of the original setup.exe and the
> setup.exe that has the invalid code-signature does NOT match! Because the
> SB integrity check does not abort the install, the binary contents of the
> archive is 100% correct. But the stub part changed after the code-signing
> process and Windows Authenticode technology detected this modification.

Makes perfect sense. I've never looked at the installers in a binary
viewer so was curious:)

I will forward this to my client. I'm clueless what the reason for this
change may be. Virus, malware, drive going bad were my suggestions.
I'd be very surprised for the first two, but we have had couple of
critters get on our machines - last time was in 2009 I think. One was
so pesky that the drive ended up under my sledgehammer;)

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-15-2016, 12:05 PM
Hi Arnor,

> Makes perfect sense. I've never looked at the installers in a binary
> viewer so was curious:)
>
> I will forward this to my client. I'm clueless what the reason for this
> change may be. Virus, malware, drive going bad were my suggestions. I'd
> be very surprised for the first two, but we have had couple of critters
> get on our machines - last time was in 2009 I think. One was so pesky
> that the drive ended up under my sledgehammer;)

Please keep us posted. Very interesting case :-)

Friedrich

NewsArchive
12-16-2016, 02:20 AM
Hi Friedrich,

> Please keep us posted. Very interesting case :-)

I'd much rather have boring cases - done with interesting;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-16-2016, 12:41 PM
Hi Arnor,

>> Please keep us posted. Very interesting case :-)
>
> I'd much rather have boring cases - done with interesting;)

;-)

BTW, I have added a new "Verify Code-Signed Install at Startup" option.
This will check the status of a code-signed file and abort the install if
the signature is invalid (modified, hacked, incomplete or virus infected
installation image).

Friedrich

NewsArchive
12-16-2016, 12:41 PM
Hi Friedrich,

> BTW, I have added a new "Verify Code-Signed Install at Startup" option.
> This will check the status of a code-signed file and abort the install if
> the signature is invalid (modified, hacked, incomplete or virus infected
> installation image).

Cool! I would definitely turn that on as I don't want installers that
are code signed but cannot be verified for whatever reason!

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-17-2016, 09:24 AM
Hi Friedrich,

> Please keep us posted. Very interesting case :-)

After my client had gone through everything, virus scanned everything
(all clean) he realized that AVG was blocking his attempts to connect to
his server on another PC. So for fun he tried the code signing with AVG
turned OFF. Everything worked and the signature is now reported OK.

So after more than a week of head scratching and panic: AVG somehow
messed up the installers after they were code signed. Code signing and
antivirus are now residing at the bottom of the same barrel in my book<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-17-2016, 09:26 AM
Arnor,

> After my client had gone through everything, virus scanned everything
> (all clean) he realized that AVG was blocking his attempts to connect to
> his server on another PC. So for fun he tried the code signing with AVG
> turned OFF. Everything worked and the signature is now reported OK.
>
> So after more than a week of head scratching and panic: AVG somehow
> messed up the installers after they were code signed. Code signing and
> antivirus are now residing at the bottom of the same barrel in my book<g>

I've used AVG for years and never had it get in the way. I wonder if
your client has a different setup than I do?

Lee White

NewsArchive
12-17-2016, 09:26 AM
Hi Lee,

> I've used AVG for years and never had it get in the way. I wonder if
> your client has a different setup than I do?

Good question - I'll forward your screenshots to him. I used AVG for a
while and don't remember why I stopped. I haven't had the greatest
experiences with AV programs in general!

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-17-2016, 09:27 AM
> Cool! I would definitely turn that on as I don't want installers that
> are code signed but cannot be verified for whatever reason!

Hopefully Friedrich will turn it ON by default.


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ImageEx, ProScan, ProImage, ProPath and other
Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
12-17-2016, 09:28 AM
Arnor,

If not a setting they should, at minimum, check their reports to see
why the file was modified.

Lee White

NewsArchive
12-26-2016, 12:10 PM
Hi Friedrich,

> Please keep us posted. Very interesting case :-)

My client has tested various settings in AVG and no matter what he has
tried, if AVG is turned ON, the signature gets messed up, if it's turned
OFF it's OK. No reports are generated. No indication in AVG that it
did anything, no warnings, no popups, no nothing - with or without the
"Fix automatically" turned on or off. He uploaded the good install to
VirusTotal and it was reported clean by all 56 virus checker.

I think from now on I will use your new feature to verify the signature!
It will make sure that installers aren't tampered with to a point that
the signature becomes invalid.

On that same subject but not related to SB: How can I verify that MY
executables have a valid signature from within my code? WinVerifyTrust?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-26-2016, 12:12 PM
Hi Arnor,

> My client has tested various settings in AVG and no matter what he has
> tried, if AVG is turned ON, the signature gets messed up, if it's turned
> OFF it's OK. No reports are generated. No indication in AVG that it did
> anything, no warnings, no popups, no nothing - with or without the "Fix
> automatically" turned on or off. He uploaded the good install to
> VirusTotal and it was reported clean by all 56 virus checker.

Thanks for the update. That means AVG modifies the code-signed files
without any warning. Unbelievable!!!! In other words, it has absolutely
nothing to do with his certificate or a virus infected environment. AVG is
the culprit - AVG is "the virus". And the "Heal / remove virus infection
without asking me" option that Lee posted is a nightmare (IMO). VirusTotal
can't detect such a runtime false-positive bug in this case. AVG has a big
big big bug here. WOW! AVG modifies the files in the background,
completely behind the scenes. And I am sure it does it not only on
code-signing processes. It can even happen during a Visual Studio, Clarion,
Delphi, etc. compilation process. Or a Microsoft Word save process, PDF
generation, etc. etc. OMG :-( I would stop using AVG immediately.

> I think from now on I will use your new feature to verify the signature!
> It will make sure that installers aren't tampered with to a point that the
> signature becomes invalid.
>
> On that same subject but not related to SB: How can I verify that MY
> executables have a valid signature from within my code? WinVerifyTrust?

Yes, WinVerifyTrust is the way to go.

Friedrich

NewsArchive
12-26-2016, 12:13 PM
Friedrich,

> Thanks for the update. That means AVG modifies the code-signed files
> without any warning. Unbelievable!!!!

Careful now. I've used AVG for years and none of my signed files fail.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

NewsArchive
12-26-2016, 12:14 PM
Hi Lee,

>> Thanks for the update. That means AVG modifies the code-signed files
>> without any warning. Unbelievable!!!!
>
> Careful now. I've used AVG for years and none of my signed files fail.

Well, then it was only luck, IMO.

What a nightmare scenario! User has "Heal / remove virus infection without
asking me" enabled. AVG introduces a false-positive bug in one of their
virus definition updates (e.g. a specific byte combination for given
virus). You compile or download a file and AVG detects this specific byte
combination in the file *and* removes the "virus". Remember: it was not a
virus but a false-positive. It modifies the binary contents of a previously
valid file without asking :-(

It's only a question of time before you compile or download a file that
triggers a false-positive action on a perfectly valid file and then BANG....

Friedrich

NewsArchive
12-26-2016, 12:15 PM
Hi Friedrich,

> code-signing processes. It can even happen during a Visual Studio, Clarion,
> Delphi, etc. compilation process. Or a Microsoft Word save process, PDF
> generation, etc. etc. OMG :-( I would stop using AVG immediately.

It is definitely a very uncomfortable discovery and makes one wonder
what ELSE it may have messed with on other machines. My client can go
back and forth, turn AVG on or off and the signature is valid or not
depending on if AVG is on or off.

> Yes, WinVerifyTrust is the way to go.

Thanks. This whole thing has made me want to make sure that whatever
executables and dlls I code sign and distribute are OK. I compile
programs for couple of other clients and this is just making me
concerned. What if some anti-virus is messing with the binary code?
People that are not computer savvy may not notice at all if the
prompts/windows they get when starting the software changes!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-26-2016, 12:17 PM
Hi Arnor,

>> Yes, WinVerifyTrust is the way to go.
Take a look at this post on the comp.lang.clarion newsgroup

'CrypQueryObject DLL for Clarion' 05/Sept/2016

https://dl.dropboxusercontent.com/u/32320974/IQCQO.zip

It may be of use and save you re-inventing the wheel :-)

Graham

NewsArchive
12-26-2016, 12:17 PM
Hi Graham,

> Take a look at this post on the comp.lang.clarion newsgroup

Thanks! I will. I knew someone had been messing with this before but
didn't remember who/where.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-26-2016, 12:18 PM
Hi Lee,

> Careful now. I've used AVG for years and none of my signed files fail.

Are you sure that none of them have been tampered with? Maybe there are
other things at play here, but from where I'm sitting this is pretty
rock solid. AVG on - fails. AVG off - OK.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-26-2016, 12:19 PM
Arnor,

> > Careful now. I've used AVG for years and none of my signed files fail.
>
> Are you sure that none of them have been tampered with?

Absolutely. Ran about 30 scripts recently just to test and none of
them were altered.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

NewsArchive
12-26-2016, 12:21 PM
Hi Lee,

> Absolutely. Ran about 30 scripts recently just to test and none of
> them were altered.

Good! I don't know what this is but it's pretty bad.

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-26-2016, 12:21 PM
Arnor,

> > Absolutely. Ran about 30 scripts recently just to test and none of
> > them were altered.
>
> Good! I don't know what this is but it's pretty bad.

It's got to be an option somewhere that's different otherwise I'd have
run across it too!<g>

Enjoy the Holidays, my friend.

Lee

NewsArchive
12-26-2016, 12:22 PM
Hi Lee,

> It's got to be an option somewhere that's different otherwise I'd have
> run across it too!<g>

It could be something else that my client has that messes up AVG or
whatever. I have only once seen a program modify files and that was
Kaspersky 6. Not going into that miserable story, but suffice to say I
will not touch that software with a 10' pole.

> Enjoy the Holidays, my friend.

You too! Take some time off!<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-26-2016, 12:24 PM
> It's got to be an option somewhere that's different otherwise I'd have
> run across it too!<g>

I may have figured it out... I think.<g>

My SB scripts and the resulting install EXE's are in an excluded
folder. My DEV folders are NOT excluded so they are checked for
viruses but my script folder, where the EXE's are created and the
subfolder where the signed DLL's are created, are excluded.

I also have all "automatic" fixes turned off. I get notifications and
make the choices if any exist - which they haven't for a long time!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

NewsArchive
12-26-2016, 12:25 PM
Hi Lee,

> My SB scripts and the resulting install EXE's are in an excluded
> folder. My DEV folders are NOT excluded so they are checked for
> viruses but my script folder, where the EXE's are created and the
> subfolder where the signed DLL's are created, are excluded.

Could be. But even with the setting unchecked to fix silently, AVG did
not report anything.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-26-2016, 12:27 PM
Everyone has their horror stories. Mine are Norton, McAfee, AVG, and
Vipre. I use Kaspersky on all of my windows boxes and haven't had any
known issues from XP to 10.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
12-26-2016, 12:28 PM
Hi Jeff,

> Everyone has their horror stories. Mine are Norton, McAfee, AVG, and
> Vipre. I use Kaspersky on all of my windows boxes and haven't had any
> known issues from XP to 10.

If you went from versions 5 to 6 you would have noticed a very, very
noticeable time it took to update! The suggested time for me hovered
between 36 and 48 hours. Reason being that version 5 attached ADS to
every single file and version 6 removed it!

But it is interesting how different AV work on different systems. Avast
has had bad reputation here for a long time. I've been using it for the
past two years and have only had one issue with it when the settings
database on one computer became corrupt during an update. Changed one
setting back and forth and it updated itself correctly.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-26-2016, 12:30 PM
Arnor,

> Could be. But even with the setting unchecked to fix silently, AVG did
> not report anything.

All I can report is that it has never caused me any problems. In other
words, WOMM!<g>

Apparently it does not on others... not to belittle anything but that
isn't my problem nor ever has been.

Lee

NewsArchive
12-26-2016, 12:31 PM
As long as you don't step over this line in the sand.<g>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
12-26-2016, 12:31 PM
Jeff,

> As long as you don't step over this line in the sand.<g>

Exactly!<g>

Lee White

NewsArchive
12-26-2016, 12:38 PM
> Absolutely. Ran about 30 scripts recently just to test and none of
> them were altered.

I think that is because AVG is still trying to get it's head around the
fact that your desktop looks like Windows 95 instead of being all purdy<g>.


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ImageEx, ProScan, ProImage, ProPath and other
Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
12-26-2016, 12:38 PM
https://www.youtube.com/watch?v=yBAYiBoy43M

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
12-26-2016, 12:39 PM
Charles,

> I think that is because AVG is still trying to get it's head around the
> fact that your desktop looks like Windows 95 instead of being all purdy<g>.

I'll have you know it's a customized Classic, not OEM!<g>

Merry Christmas, my friend.

Lee

NewsArchive
12-26-2016, 12:39 PM
>> I think that is because AVG is still trying to get it's head around the
>> fact that your desktop looks like Windows 95 instead of being all purdy<g>.
>
> I'll have you know it's a customized Classic, not OEM!<g>

LOL - I'm sure!


> Merry Christmas, my friend.

The same to you and your's Lee!


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ImageEx, ProScan, ProImage, ProPath and other
Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
12-26-2016, 12:41 PM
> All I can report is that it has never caused me any problems. In other
> words, WOMM!<g>
>
> Apparently it does not on others... not to belittle anything but that
> isn't my problem nor ever has been.

I suppose that second sentence could be taken the wrong way but
shouldn't. It's a reiteration of the first and I -did- say "not to
belittle" meaning it may well be someone's problem but it AIN'T one on
my system.<g>

It's overcast and gloomy here and a welcome sight - we still need a
lot of rain. What's crazy is that it's supposed to get close to 70F on
Christmas Day which is just WRONG! Granted I live in the South but 70,
come'on!!!!<g>

HAPPY HOLIDAYS!

Lee

NewsArchive
12-26-2016, 12:43 PM
> Everyone has their horror stories. Mine are Norton, McAfee, AVG, and
> Vipre. I use Kaspersky on all of my windows boxes and haven't had any
> known issues from XP to 10.

Let me add avast! to the list of horror stories <g>

Friedrich

NewsArchive
12-26-2016, 12:46 PM
Friedrich, Arnor,

I just copied my DEV folder to a drive that's not excluded by AVG.

Deleted all the signed DLL's for RPM.

Deleted the signed RPM install EXE and everything related to SB except
the script.

Ran a full AVG scan of the folder hierarchy.

Ran the install script and compiled.

Checked the DLL's and install EXE and they are properly signed.

Ran a full AVG scan of the folder hierarchy.

Checked the DLL's and install EXE and they are still properly signed.

Give me something else to test and I will.


Until then<g>... Merry Christmas, Happy Holidays and be safe!

Lee

NewsArchive
12-26-2016, 12:47 PM
> Ran the install script and compiled.

The results of the compile are attached if that's of any help.

Lee

NewsArchive
12-27-2016, 04:34 AM
Hi Friedrich,

> Let me add avast! to the list of horror stories <g>

I have used Avast for the past two years and have not had any problems
with it! Just goes to show what works for one, does not mean it will
work for another<bg>

Best regards

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-27-2016, 04:36 AM
Hi Lee,

> I suppose that second sentence could be taken the wrong way but
> shouldn't. It's a reiteration of the first and I -did- say "not to
> belittle" meaning it may well be someone's problem but it AIN'T one on
> my system.<g>

No problem :) Sometimes things work for me that don't work for others
and the other way around. Working with code for 30+ years has taught me
that the underlying structure in programming in sprinkled with a good
dose of chaos<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
12-27-2016, 04:37 AM
So is an electron really a particle or a wave????? <g>

Jane Fleming

>Working with code for 30+ years has taught me
>that the underlying structure in programming in sprinkled with a good
>dose of chaos<g>

>Best regards,

>--
>Arnor Baldvinsson
>Icetips Alta LLC

NewsArchive
12-27-2016, 04:38 AM
Jane,

> So is an electron really a particle or a wave????? <g>

The election is over, leave it be... oh, "electron", never mind!<g>

NewsArchive
12-27-2016, 04:38 AM
There's a pill for that

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
12-27-2016, 04:38 AM
Jeff,

> There's a pill for that

Seek medical help for an electron lasting more than 4 hours!

NewsArchive
12-27-2016, 04:39 AM
Oh, puleeze!

Electoral dysfunction??? <g>

Jane Fleming

NewsArchive
12-27-2016, 04:40 AM
Jane Fleming

NewsArchive
12-27-2016, 04:45 AM
(hush!)

NewsArchive
12-27-2016, 04:46 AM
Why don't you knock it off with them negative waves? <g>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
12-27-2016, 04:46 AM
Jeff,

> Why don't you knock it off with them negative waves? <g>

A classic movie!!!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"