- Flexera Software Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Codesigning using SHA-2, SHA256
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Codesigning using SHA-2, SHA256
I read somewhere that Microsoft stops support for SHA-1 on January 1, 2016.

- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Codesigning using SHA-2, SHA256
If you need this kind of signature immediately, you can either sign files yourself at a later point, or create a wrapper for signtool.exe that intercepts the command line arguments we pass to
- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Code signing using SHA-2, SHA256
Microsoft defined their policy in 2013 as described in the following link:
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
Specifically:
"Code Signing Certificates
For code signing certificates, Windows will stop accepting SHA1 code signing certificates without time stamps after 1 January 2016. SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack."
It isn't clear to me exactly what Microsoft's policy where code signing is concerned but their intent is clear enough: stop using SHA-1 if you can. The bottom line is that SHA-1 is weak so its use is deprecated wherever possible.
- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Codesigning using SHA-2, SHA256
This additional commentary on Microsoft's SHA-1 policy.
https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html

- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Codesigning using SHA-2, SHA256
- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Codesigning using SHA-2, SHA256
MichaelU wrote:
We don't offer this out of the box today, but are tracking a feature request for adding it as IOJ-1700927. If you can find the source for SHA-1 being unsupported, I can add that to our report as supporting evidence to prioritize this feature.
If you need this kind of signature immediately, you can either sign files yourself at a later point, or create a wrapper for signtool.exe that intercepts the command line arguments we pass to\System\signtool.exe and does something else instead.
I have a wrapper for this that works---allowing me to SHA256 sign---that I'm willing to post.... but I can't get the codesigning of the MSI file to work at all without the wrapper! I can sign the EXE/DLLs, I can sign the final setup exe, but anytime I turn on MSI signing (ie by itself, or with the MSI+EXE option) I get
ISDEV : error -6003: An error occurred streaming 'C:\C...\PROJECT_ASSISTANT\SINGLE_EXE_IMAGE\DiskImages\DISK1\XXX.isc' into setup.exe
ISDEV : error -6003: An error occurred streaming 'C:\...\PROJECT_ASSISTANT\SINGLE_EXE_IMAGE\DiskImages\DISK1\XXX.msi' into setup.exe
Again, this is just with the stock unmodified product. I concede I'm using IS2011, but I expect base functionality like this to work. Antivirus is off. It's not exactly an incentive to upgrade knowing that SHA256 isn't addressed.
Are there known issues in the signing? Any way to get the msi, sign it separately, then generate the final EXE? Thanks.
- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Working Wrapper for SHA256 code signing
[CODE]#include
#include
#include
// Mock signtool.exe to replace
// C:\program files (x86)\Installshield\2011\System\signtool.exe (or equivalent)
// allowing you to supply better arguments than InstallShield allows
// Limited functionality, just for use by InstallShield
//
// To compile:
// Open command line window
// Set up MS Visual Studio commandline args with vcvars32
// cl signtool.cpp
// Drag signtool.exe to the installshield folder above.
// *** Do NOT replace your main signtool.exe below!
//
// Create a batch file to supply the desired arguments, with the
// same name as your pfx file, but with a .bat extension
// In this sample batch file, you need to:
// Adjust the path to the "real" signtool.exe
// --- ie a modern one that handles SHA-2
// Stick in whatever arguments you want, ie your timestamper
// (The sha2 arguments are already there)
//
//++++++++++++++
// SET tool=C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe
// "%tool%" sign /v /fd sha256 /tr http://timestamp.digicert.com /td sha256 /f %2 /p %3 %1
//--------------
// You can put a "pause" at the end of the batch file to watch it go for testing
int
main(int argc, char *argv[])
{
int i, len;
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
HANDLE hProcess, hThread;
char cmd[8192];
DWORD exitc = 0;
char *pfx = "", *pwd = "", *batch = 0;
#if 0
FILE *fp = fopen("/tmp/signlog.txt", "a");
for (i = 0; i < argc; i++)
fprintf(fp, "Arg %i '%s'\n", i, argv);
fclose(fp);
#endif
if (argc < 2 || strcmp(argv[1], "timestamp") == 0)
exit(0);
for (i = 1; i < argc; i++)
if (strcmp(argv, "/f") == 0)
pfx = argv[++i];
else if (strcmp(argv, "/p") == 0)
pwd = argv[++i];
if (!pfx)
{
printf("No pfx file\n");
exit(1);
}
batch = _strdup(pfx);
len = strlen(batch);
if (_stricmp(batch+len-4, ".pfx") != 0)
{
printf("Bad pfx extension\n");
exit(1);
};
strcpy(batch+len-4, ".bat");
sprintf(cmd, "cmd.exe /C %s \"%s\" \"%s\" \"%s\"",
batch, argv[argc-1], pfx, "******");
printf("About to run command: '%s'\n", cmd);
sprintf(cmd, "cmd.exe /C %s \"%s\" \"%s\" \"%s\"",
batch, argv[argc-1], pfx, pwd);
memset(&sinfo, 0, sizeof(sinfo));
sinfo.cb = sizeof(sinfo);
if (!CreateProcess(0, cmd, 0, 0, FALSE, 0, 0,
0, &sinfo, &pinfo))
{
int lasterr = GetLastError();
printf("Failed %d\n", lasterr);
exit(1);
}
hProcess = pinfo.hProcess;
hThread = pinfo.hThread;
WaitForSingleObject(hProcess, INFINITE);
GetExitCodeProcess(hProcess, &exitc);
CloseHandle(hThread);
CloseHandle(hProcess);
exit(exitc);
}[/CODE]
- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Quick and dirty workaround (checked in IS2013)
Backup any file prior changing/replacing it.
1. Replace the C:\program files (x86)\Installshield\201x\System\signtool.exe by the version from Windows 7 SDK.
2. Inject the command line parameter into URL in your project i.e. http://www.yourdomain.com" /fd sha256"
Note the proper use of ".
Hope it works for you as it did for me.
- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Codesigning using SHA-2, SHA256
- Mark as New
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Codesigning using SHA-2, SHA256
Commandline: "/tr http://timestamp.geotrust.com/tsa instead" of "/t http://timestamp.verisign.com/scripts/timstamp.dll"
It looks like that the parameter /tr is nor suppoerted.
/tr URL Specifies the URL of the RFC 3161 time stamp server.
Source: https://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspx