cancel
Showing results for 
Search instead for 
Did you mean: 
Nick_Umanski
Flexera beginner

Re: Codesigning using SHA-2, SHA256

@Tobias79

Yes your TechNet link basically explains my first command line example:
signtool sign /n %CommonName% /t http://timestamp.comodoca.com/authenticode %FileName% >> %LogFile%

The point is, it is an SHA-1 encryption and this will not be valid for digital signing carried out after 01/01/2016, which presumably includes .msi files

It looks to me that Microsoft just haven't got a solution for .msi files and all the 'informed opinions' either don't mention it or sprout a rather confusing technical term such as in this case:

"Note that this approach will meet policy only for the code signing certificate requirement being enforced for SHA-1 code signing certificates starting on 1/1/2016."

...which basically means "Not valid on Win7 and above"
0 Kudos
Tobias79
Pilgrim

Re: Codesigning using SHA-2, SHA256

Nick Umanski wrote:

The point is, it is an SHA-1 encryption and this will not be valid for digital signing carried out after 01/01/2016, which presumably includes .msi files



I assume MSIs (with SHA1 only) will not be considered as signed with invalid signature if carried out this year. Even if not implicitely stated in the TechNet article. Think the Microsoft approach they did last year for e.g. the VCRedist (https://www.microsoft.com/en-us/download/details.aspx?id=48145) should be the same as if they would release the package this year. Setup.exe (and containing assemblies) signed with digest algorithm SHA1/256 and MSI with SHA1..

I mean why should they otherwise adapt signing for PE files to SHA1/256 but not for the MSI. Just my interpretation.

0 Kudos
Nick_Umanski
Flexera beginner

Re: Codesigning using SHA-2, SHA256

You make it sound like 'they' had a choice in the matter. But in fact the new signing encryption was forced on them by a security problem. I suspect that it was NOT anticipated that SHA-256 would fail on .msi files and the lack of information on the subject is because a solution still hasn't been found.

Curiously, the .msi's I've produced since the 1st January still work as do individual binaries encrypted by an SHA-1 algorithm. So it looks like the security patch meant to enforce this hasn't been deployed yet.

What I don't understand is why Flexera/InstallShield don't seem to have the first clue as to what is going on, when they should be camping on Microsoft's door demanding information.
0 Kudos