This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: Codesigning using SHA-2, SHA256
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Nov 18, 2014
04:06 PM
Codesigning using SHA-2, SHA256
InstallShield appears to use the default SHA-1 when signing. How is this set to the newer standard? I don't see the digest type listed in the signing options. Signtool.exe supports /fd SHA256, for example.
I read somewhere that Microsoft stops support for SHA-1 on January 1, 2016.
I read somewhere that Microsoft stops support for SHA-1 on January 1, 2016.
(22) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2016
09:47 AM
Nick Umanski wrote:
The point is, it is an SHA-1 encryption and this will not be valid for digital signing carried out after 01/01/2016, which presumably includes .msi files
I assume MSIs (with SHA1 only) will not be considered as signed with invalid signature if carried out this year. Even if not implicitely stated in the TechNet article. Think the Microsoft approach they did last year for e.g. the VCRedist (https://www.microsoft.com/en-us/download/details.aspx?id=48145) should be the same as if they would release the package this year. Setup.exe (and containing assemblies) signed with digest algorithm SHA1/256 and MSI with SHA1..
I mean why should they otherwise adapt signing for PE files to SHA1/256 but not for the MSI. Just my interpretation.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2016
11:25 AM
You make it sound like 'they' had a choice in the matter. But in fact the new signing encryption was forced on them by a security problem. I suspect that it was NOT anticipated that SHA-256 would fail on .msi files and the lack of information on the subject is because a solution still hasn't been found.
Curiously, the .msi's I've produced since the 1st January still work as do individual binaries encrypted by an SHA-1 algorithm. So it looks like the security patch meant to enforce this hasn't been deployed yet.
What I don't understand is why Flexera/InstallShield don't seem to have the first clue as to what is going on, when they should be camping on Microsoft's door demanding information.
Curiously, the .msi's I've produced since the 1st January still work as do individual binaries encrypted by an SHA-1 algorithm. So it looks like the security patch meant to enforce this hasn't been deployed yet.
What I don't understand is why Flexera/InstallShield don't seem to have the first clue as to what is going on, when they should be camping on Microsoft's door demanding information.