Monday, February 1, 2016

Digital signatures and SHA256

A very important point for anyone selling software is to make sure that the demo downloads and works.  A critical point of the download is that it is not recognised as a virus, or malicious software.  Hence, for the past several years, all my software has been digitally signed.

The signing was with a SHA-1 signature, and a recognised certificate.  Recently, (Jan 2016) this started give nasty warning messages on downloads.  What has happened is that SHA-1 is no longer considered safe, and so from 2016, web browsers etc have started to look for SHA-256 signatures.

The solution was to contact GlobalSign who provide my certificate,  and they very quickly supplied one with a SHA-256 code.

The next stage was updating my batch files to add the signature.  This was a matter of changing the .PFX name and the password, and all almost worked.  It worked, but the signature was still showing as SHA-1.  Curiously, the code signed within InstallShield 2015 was showing SHA-256.  This did mean my new certificate was correct.  It turned that my signing routine was along the lines

c:\signtool  sign  /f 1234.pfx   etc

By default the sign routine adds a SHA-1 signature, when I changed the line above to be

c:\signtool  sign /fd SHA256  /f1234.pfx  etc

it all worked OK.

Hopefully my programs will now download without alarm bells.

1 comment:

  1. Unfortunately the above statement is no longer totally true. Signed documents remain sound, but Microsoft now demands Extended Validation (EV) code signing to prevent warning messages. The older (standard) signing will still work, but it requires a period of time to gain a reputation. If there are thousands of downloads a day, this may not an issue, but with a specialised product, we don't reach that number. Also, CnW Recovery products are updated on a regular basis, and each update would have to earn a new reputation. CnW Recovery software is now signed with an EV certificate.

    ReplyDelete