Some more info from KSoftware here:
http://support.ksoftware.net/support/solutions/articles/215805-the-truth-about-sha1-sha256-and-code-signing-certificates-
I just tried my cert out I got from Ksoft in June 2013 (5-yr cert) and it does both SHA1 & SHA256 (you need to timestamp it for SHA256) so donāt panic until youāre totally sure.
I used this to sign the SHA256 (the /debug flag gives you a verbose output. See http://stackoverflow.com/a/23051949/492
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /debug /fd sha256 /f "C:\....certificat.pfx" /p password /tr http://timestamp.geotrust.com/tsa /v file.dll
+1 for Ksoft, I remember them being good to deal with.
With some help from Mitchell Vincent of ksoftware.net I written up what I think you need to know about SHA1/SHA2 and code signing:
Anyone else been having problems since signing with their new SHA-256 certs?
Both IE (SmartScreen) and Chrome (whatever it uses) now warn me the software isnāt downloaded often and may be malware yadda yadda.
I never got this with my previous SHA1 certs, including when I originally started signing a couple of years ago.
Iām wondering if Iām not signing the software correctly, but the details appear under Windows āDigital Signaturesā ok, the only difference being a missing support email address in the new version (I canāt remember how I provided that in the first place).
Iāve spoken to the ever-helpful Mitchell at K Software who said it probably needs downloading a few times and then it will be trustedā¦ itās just that as this didnāt happen when first signing under SHA1 Iām a bit nervous something is not quite rightā¦
The software itself works fine once all the āRun anywayā hoops are jumped through.
Do you put version name in downloaded file? I do, and that proved useful over the years when I want to point customer to specific version for whatever reason. However I made that decision almost a decade ago when there were no drawbacks for that. Now I wonder if itās a problem whenever thereās a new download with different version number.
I donāt. Not anywhere in the signature-related bits anyway. Iām assuming the content of the actual app is ignored anyway, otherwise this āreputationā would be getting trashed on every release (I aim for fortnightly/monthly releases).
Sounds like it could be a possible problem though, given what MS say about comparing the text portions of the signature.
I didnāt wrote it clearly. Iām putting version number as part of file name. Therefore each new release appears as a new file name. I have no idea how MS determines whatās new file, whether they disregard numbers from file name or not.
Yep, there must be a URL out there that describes all the inputs to the similarity score.
In my case, all files are named the same: setup.exe.
I expect they use a hash of the file contents to determine what is a unique file. I would be very surprised if they pay attention to the file name.
A few other people have mentioned smartscreen suddenly popping up when you change your cert, but that it then usually goes away in a few hours or days (depending on how many people download your stuff perhaps).
1 Like
Maybe we should share our downloads to help each other get our reputation upā¦
1 Like
AFAIK the reputation is collected per-certificate, not for individual files. Each new version of my programs is published under a new file name (e.g. SoftwareName_setup_a.b.c.d.exe). The ānot commonly downloadedā warning lasted only for a short period of time, when a certificate was just issued. Nothing changed when I added sha-256 signature in addition to sha-1. Tested on Windows XP, 7, 8, 10 with all latest updates.
1 Like
I have a Comodo certificate issued in mid-2015. It supports both algorithms. The only real extra step I needed to take was to create a PFX file for the newer versions of SignTool to work with. Comodo automagically installed my certificate when I purchased it and Iād never needed the PFX file before. Thereās a short write up of the process I followed to get dual signing working here.
For those who use InnoSetup they introduced Dual Signing of installers / uninstallers in version 5.5.8 which was released about 4 weeks ago.