New certificate - not sure if it's working correctly.
Hi Friedrich,
I just got a new Comodo certificate and extracted the .pfx file, set SB
to use signtool.exe and changed my #code-sign accordingly. No errors
(once I picked the right time server) but what I get when I do the code
signing is:
Adding Digital Certificate (Preprocessor)...
SIGNTOOL: C:\Products\BuildAutomator\Latest\Program Files\Icetips
Creative\Build Automator\BuildAutomator.exe
SHA1: 0
Code signed successfully: C:\Products\BuildAutomator\Latest\Program
Files\Icetips Creative\Build Automator\BuildAutomator.exe
I'm concerned about this SHA1: 0. I don't know what it means. The
certificate I ordered was SHA2, so I hope that's what I got - Signature
algorithm is sha256RSA and the signature hash algorithm is sha256 in the
"View" certificate in IE 11.
So - is everything correct here?
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: New certificate - not sure if it's working correctly.
Hi Friedrich
On 9/8/2015 4:16 PM, Arnor Baldvinsson wrote:
> I'm concerned about this SHA1: 0. I don't know what it means. The
> certificate I ordered was SHA2, so I hope that's what I got - Signature
> algorithm is sha256RSA and the signature hash algorithm is sha256 in the
> "View" certificate in IE 11.
>
> So - is everything correct here?
When I run Signtool verify, I get this:
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of errors: 1
Same on all the binaries I just signed - and everything else I tried...
Hmm...
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: New certificate - not sure if it's working correctly.
Hi Arnor,
> When I run Signtool verify, I get this:
>
> SignTool Error: A certificate chain processed, but terminated in a root
> certificate which is not trusted by the trust provider.
>
> Number of errors: 1
>
> Same on all the binaries I just signed - and everything else I tried...
> Hmm...
If you run the "signtool.exe verify myfile.exe" command, signtool will use
the Windows Driver Verification Policy. In order for your file to "verify"
properly you need to include the /pa switch, so that SignTool uses the
Default Authentication Verification Policy.
Friedrich
Re: New certificate - not sure if it's working correctly.
Hi Arnor,
"SHA1: 0 Code signed successfully" means that you have code-signed via SHA-1
(you did not instruct the compiler to code-sign via SHA-2) and the
Authenticode process did not report any error.
Friedrich
Re: New certificate - not sure if it's working correctly.
Hi Friedrich,
On 9/8/2015 11:30 PM, Friedrich Linder wrote:
> "SHA1: 0 Code signed successfully" means that you have code-signed via SHA-1
> (you did not instruct the compiler to code-sign via SHA-2) and the
How do you do that? I couldn't find any setting for specifying it...
See http://screencast.com/t/RuLT2sL8Ps
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: New certificate - not sure if it's working correctly.
Hi Arnor,
> How do you do that? I couldn't find any setting for specifying it...
You need the latest signtool.exe from Microsoft (at least 6.2.9200.16384)
and then use #pragma in your script and set CODESIGN_SHA to 2 for SHA-2
code-signing (please see #pragma help).
Does this help?
Friedrich
Re: New certificate - not sure if it's working correctly.
Hi Friedrich,
> If you run the "signtool.exe verify myfile.exe" command, signtool will
> use the Windows Driver Verification Policy. In order for your file to
> "verify" properly you need to include the /pa switch, so that SignTool
> uses the Default Authentication Verification Policy. Friedrich
Got it! Works:)
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: New certificate - not sure if it's working correctly.
Hi Friedrich,
> You need the latest signtool.exe from Microsoft (at least
> 6.2.9200.16384) and then use #pragma in your script and set
> CODESIGN_SHA to 2 for SHA-2 code-signing (please see #pragma help).
> Does this help? Friedrich
OK, mine is 6.1.x so I'll grab the latest one and give it another go:)
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: New certificate - not sure if it's working correctly.
Hi Friedrich,
> You need the latest signtool.exe from Microsoft (at least
> 6.2.9200.16384) and then use #pragma in your script and set
> CODESIGN_SHA to 2 for SHA-2 code-signing (please see #pragma help).
> Does this help? Friedrich
Got the latest (6.3.x), set the pragma, changed the time server (I used
verisign yesterday and it worked, but not today;), compiled and got
SHA2: 0 - codesigning successful on all files:)
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
Re: New certificate - not sure if it's working correctly.
Hi Arnor,
where from you got this one? From some newer SDK or you have some useful link?
I didn't find any good
Many thanks
Darko
