Monday, February 1, 2016

Digital signatures and SHA256

A very important point for anyone selling software is to make sure that the demo downloads and works.  A critical point of the download is that it is not recognised as a virus, or malicious software.  Hence, for the past several years, all my software has been digitally signed.

The signing was with a SHA-1 signature, and a recognised certificate.  Recently, (Jan 2016) this started give nasty warning messages on downloads.  What has happened is that SHA-1 is no longer considered safe, and so from 2016, web browsers etc have started to look for SHA-256 signatures.

The solution was to contact GlobalSign who provide my certificate,  and they very quickly supplied one with a SHA-256 code.

The next stage was updating my batch files to add the signature.  This was a matter of changing the .PFX name and the password, and all almost worked.  It worked, but the signature was still showing as SHA-1.  Curiously, the code signed within InstallShield 2015 was showing SHA-256.  This did mean my new certificate was correct.  It turned that my signing routine was along the lines

c:\signtool  sign  /f 1234.pfx   etc

By default the sign routine adds a SHA-1 signature, when I changed the line above to be

c:\signtool  sign /fd SHA256  /f1234.pfx  etc

it all worked OK.

Hopefully my programs will now download without alarm bells.

No comments:

Post a Comment