cancel
Showing results for 
Search instead for 
Did you mean: 
tdhintz
Occasional contributor

Codesigning using SHA-2, SHA256

InstallShield appears to use the default SHA-1 when signing. How is this set to the newer standard? I don't see the digest type listed in the signing options. Signtool.exe supports /fd SHA256, for example.

I read somewhere that Microsoft stops support for SHA-1 on January 1, 2016.
Labels (1)
0 Kudos
22 Replies
Flexera MichaelU
Flexera

Re: Codesigning using SHA-2, SHA256

We don't offer this out of the box today, but are tracking a feature request for adding it as IOJ-1700927. If you can find the source for SHA-1 being unsupported, I can add that to our report as supporting evidence to prioritize this feature.

If you need this kind of signature immediately, you can either sign files yourself at a later point, or create a wrapper for signtool.exe that intercepts the command line arguments we pass to \System\signtool.exe and does something else instead.
0 Kudos
tdhintz
Occasional contributor

Code signing using SHA-2, SHA256

Microsoft defined their policy in 2013 as described in the following link:

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Specifically:

"Code Signing Certificates

For code signing certificates, Windows will stop accepting SHA1 code signing certificates without time stamps after 1 January 2016. SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack."

It isn't clear to me exactly what Microsoft's policy where code signing is concerned but their intent is clear enough: stop using SHA-1 if you can. The bottom line is that SHA-1 is weak so its use is deprecated wherever possible.

0 Kudos
tdhintz
Occasional contributor

Re: Codesigning using SHA-2, SHA256

This additional commentary on Microsoft's SHA-1 policy.

https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html

0 Kudos
Flexera MichaelU
Flexera

Re: Codesigning using SHA-2, SHA256

Thanks much for the links; they provide pretty strong rationale to add official support ASAP. Unfortunately I can't make any guarantees when "ASAP" means, but I'll be pushing for adding it to our next major release.
0 Kudos
rassmm
Pilgrim

Re: Codesigning using SHA-2, SHA256

MichaelU wrote:
We don't offer this out of the box today, but are tracking a feature request for adding it as IOJ-1700927. If you can find the source for SHA-1 being unsupported, I can add that to our report as supporting evidence to prioritize this feature.

If you need this kind of signature immediately, you can either sign files yourself at a later point, or create a wrapper for signtool.exe that intercepts the command line arguments we pass to \System\signtool.exe and does something else instead.


I have a wrapper for this that works---allowing me to SHA256 sign---that I'm willing to post.... but I can't get the codesigning of the MSI file to work at all without the wrapper! I can sign the EXE/DLLs, I can sign the final setup exe, but anytime I turn on MSI signing (ie by itself, or with the MSI+EXE option) I get


ISDEV : error -6003: An error occurred streaming 'C:\C...\PROJECT_ASSISTANT\SINGLE_EXE_IMAGE\DiskImages\DISK1\XXX.isc' into setup.exe
ISDEV : error -6003: An error occurred streaming 'C:\...\PROJECT_ASSISTANT\SINGLE_EXE_IMAGE\DiskImages\DISK1\XXX.msi' into setup.exe


Again, this is just with the stock unmodified product. I concede I'm using IS2011, but I expect base functionality like this to work. Antivirus is off. It's not exactly an incentive to upgrade knowing that SHA256 isn't addressed.

Are there known issues in the signing? Any way to get the msi, sign it separately, then generate the final EXE? Thanks.
0 Kudos
rassmm
Pilgrim

Working Wrapper for SHA256 code signing

Working SHA-2/SHA256 signtool wrapper --- special purpose for use in InstallShield. Can SHA-2 sign exes, dlls, msis. Signing problem I had was due to Microsoft's 2949927 update, uninstall that!


[CODE]#include
#include
#include

// Mock signtool.exe to replace
// C:\program files (x86)\Installshield\2011\System\signtool.exe (or equivalent)
// allowing you to supply better arguments than InstallShield allows
// Limited functionality, just for use by InstallShield
//
// To compile:
// Open command line window
// Set up MS Visual Studio commandline args with vcvars32
// cl signtool.cpp
// Drag signtool.exe to the installshield folder above.
// *** Do NOT replace your main signtool.exe below!
//
// Create a batch file to supply the desired arguments, with the
// same name as your pfx file, but with a .bat extension
// In this sample batch file, you need to:
// Adjust the path to the "real" signtool.exe
// --- ie a modern one that handles SHA-2
// Stick in whatever arguments you want, ie your timestamper
// (The sha2 arguments are already there)
//
//++++++++++++++
// SET tool=C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe
// "%tool%" sign /v /fd sha256 /tr http://timestamp.digicert.com /td sha256 /f %2 /p %3 %1
//--------------
// You can put a "pause" at the end of the batch file to watch it go for testing

int
main(int argc, char *argv[])
{
int i, len;
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
HANDLE hProcess, hThread;
char cmd[8192];
DWORD exitc = 0;
char *pfx = "", *pwd = "", *batch = 0;

#if 0
FILE *fp = fopen("/tmp/signlog.txt", "a");
for (i = 0; i < argc; i++)
fprintf(fp, "Arg %i '%s'\n", i, argv);
fclose(fp);
#endif

if (argc < 2 || strcmp(argv[1], "timestamp") == 0)
exit(0);

for (i = 1; i < argc; i++)
if (strcmp(argv, "/f") == 0)
pfx = argv[++i];
else if (strcmp(argv, "/p") == 0)
pwd = argv[++i];
if (!pfx)
{
printf("No pfx file\n");
exit(1);
}

batch = _strdup(pfx);
len = strlen(batch);
if (_stricmp(batch+len-4, ".pfx") != 0)
{
printf("Bad pfx extension\n");
exit(1);
};
strcpy(batch+len-4, ".bat");

sprintf(cmd, "cmd.exe /C %s \"%s\" \"%s\" \"%s\"",
batch, argv[argc-1], pfx, "******");
printf("About to run command: '%s'\n", cmd);
sprintf(cmd, "cmd.exe /C %s \"%s\" \"%s\" \"%s\"",
batch, argv[argc-1], pfx, pwd);

memset(&sinfo, 0, sizeof(sinfo));
sinfo.cb = sizeof(sinfo);
if (!CreateProcess(0, cmd, 0, 0, FALSE, 0, 0,
0, &sinfo, &pinfo))
{
int lasterr = GetLastError();

printf("Failed %d\n", lasterr);
exit(1);
}
hProcess = pinfo.hProcess;
hThread = pinfo.hThread;

WaitForSingleObject(hProcess, INFINITE);
GetExitCodeProcess(hProcess, &exitc);

CloseHandle(hThread);
CloseHandle(hProcess);

exit(exitc);
}[/CODE]
0 Kudos
Thinkeye
Pilgrim

Quick and dirty workaround (checked in IS2013)

Please note that by using the following hack you will change installed system in your own responsibility.
Backup any file prior changing/replacing it.

1. Replace the C:\program files (x86)\Installshield\201x\System\signtool.exe by the version from Windows 7 SDK.
2. Inject the command line parameter into URL in your project i.e. http://www.yourdomain.com" /fd sha256"


Note the proper use of ".

Hope it works for you as it did for me.
0 Kudos
DebbieL
Pilgrim

Re: Codesigning using SHA-2, SHA256

InstallShield 2015, which was just released today, has built-in SHA-256 support for code-signing your installations and files at build time. For more details, see the InstallShield 2015 release notes.
0 Kudos
Stefan_M
Pilgrim

Re: Codesigning using SHA-2, SHA256

Signing SHA256 with Installshield 2015 works but I didn't find a way to use the timeserver "http://timestamp.geotrust.com/tsa".
Commandline: "/tr http://timestamp.geotrust.com/tsa instead" of "/t http://timestamp.verisign.com/scripts/timstamp.dll"
It looks like that the parameter /tr is nor suppoerted.

/tr URL Specifies the URL of the RFC 3161 time stamp server.

Source: https://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspx
0 Kudos