SB10 Tips & Tricks #1: Dual SHA-1/SHA-2 code-signing
It has been some time since we've had the "Tips & Tricks" column. Many people have asked
me for tips on how to do this and that, so I figured I would share some with you here.
The first in this new series of tips and tricks explains how you can handle dual
SHA-1/SHA-2 (SHA-256) code-signing with SetupBuilder.
Background: Organizations need to develop a migration plan for SHA-1 code signing
certificates that expire after January 1, 2016. To support older Windows operating
systems (e.g. Windows XP, Vista, early Windows 7 versions) and modern Windows systems
(Windows 8.x and later) after 1 January 2016, you have to dual SHA-1/SHA-2 code-sign all
your application files and setups using Microsoft Authenticode compatible time stamp and
RFC 3161 compliant trusted time stamp servers (SHA-2 compatible code-signing certificate
is required).
SHA-2 (SHA-256) was created by the National Institute of Standards and Technology (NIST)
to replace SHA-1 after mathematical weaknesses were discovered in the algorithm. For the
past few years, network security experts have warned that certificates using the SHA-1
hashing algorithm will soon be in danger of being hacked due to consistent advancements in
computing technology.
How to handle dual code-signing with SetupBuilder 10?
- Set the "TimeStamp URL" to a SHA-2 compliant timestamp server:
For example: http://timestamp.globalsign.com/?signature=sha2
- In the Script Editor, set the Secure Hash Algorithm to "dual":
#pragma CODESIGN_SHA = "12"
- In the Script Editor, set the timestamp server for the SHA-1 signature to a Microsoft
Authenticode compatible timestamp server.:
#pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"
Note: You need Microsoft SignTool.exe version 6.2.9200.16384 or later to support dual
SHA-1/SHA-2 code-signing.
--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)
January 19, 2016
Friedrich has commented that "
you need Windows 8.0 or later to handle "dual"
code-signing. Even Windows 8.0 does not work rock solid. I would suggest to use Windows
8.1 or Windows 10."
Click on the images below to open them full size in a viewer.