* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

PSA: Coding signing in 2016 (Windows)

Microsoft is moving to SHA2 Authenticode certificates, and as of January 1, 2016, SHA1 certs cannot be used to sign new releases of your software. If  you purchased your cert within the last year, it may already be SHA2. However, if you purchased a multi-year cert prior to that, it may be obsolete even though it hasn't expired yet.

Existing SHA1-signed releases timestamped before the end of the year will be recognized. If your software supports older versions of Windows (Vista, XP), those systems so not recognize SHA2.

More details here:

http://zabkat.com/blog/code-signing-sha1-armageddon.htm
Nicholas Hebb Send private email
Sunday, December 20, 2015
 
 
Ugh. First I heard about this was today. Thanks for nothing Microsoft.
Andy Brice Send private email
Sunday, December 20, 2015
 
 
I intended to A/B test code signed vs unsigned early next year, now I'm not sure I want to put up with this nonsense :)
Zka Send private email
Sunday, December 20, 2015
 
 
Thanks for the info.  My 3 year cert (SHA-1) expires in Feb so I guess the timing isn't so bad for me.  Now the decision is whether to go for one of the more expensive certs that work in the Microsoft store, or carry on with the cheap Comodo from K-Software.
DV Send private email
Monday, December 21, 2015
 
 
Phew - mine is SHA-2. Thanks for the heads up. Mind you, it cost me nearly $1000 from Digicert only 3 months ago.

I decided on my last renewal to get the more expensive option, having been with Comodo before. Nothing against Comodo, but they told me I would have to get a completely new certificate and build up reputation again, and I couldn't bear the thought of going through the hassle of security warnings again.

Fair play to Digicert - although it was ridiculously expensive, the service was excellent. They had the key (on a USB) to me in the UK within 2 days of ordering, and follow up support was excellent and transition from the old key was seamless.

It's still a rip-off of course.
Anon123 Send private email
Monday, December 21, 2015
 
 
Wow, $1000 per year?

And I thought it is expensive in my country here (Austria) where I have to pay 360 € each year to get this crazy (now SHA-2) certificate.

(Btw, from my experience it makes no sense to get a cheap certificate from a different country if you are not located there. You need to go to the lawyer and you have to translate several documents to apply for the certificate.)
xmlbuddy Send private email
Tuesday, December 22, 2015
 
 
I am currently going through the "re-verification" hassle with Comodo. Letsencrypt needs to create code signing certificates as well.
Bring back anon Send private email
Wednesday, December 23, 2015
 
 
Where are you guys getting these crazy prices from? I bought a 3-year Comodo code signing cert for $195 (that's $65/year) back in 2013, and they reissued it with a SHA-2 sig at no extra cost this summer.
Dmitry Leskov Send private email
Friday, December 25, 2015
 
 
If there is only one provider of certificates in your country you get those crazy fees...
xmlbuddy Send private email
Friday, December 25, 2015
 
 
@Dmitry Leskov
Did Comodo revoke your sha1 cert?
Are you double signing sha1 and sha2? Or are you not bothered about older OSs that don't support sha2?
Andy Brice Send private email
Saturday, December 26, 2015
 
 
@xmlbuddy: We are not based in the US, and that did not stop us from purchasing a cert from a US company, so what exactly is your problem again?

@Andy Brice: Yes, they've revoked the old cert. No, we do not care about the older O/Ss - our users are Java developers, so I'd be very surprised if (m)any of them were still on XP or Vista.
Dmitry Leskov Send private email
Monday, December 28, 2015
 
 
@Dmitry The problem was that I would have to translate at least 3 doucments from German to English and this costs a lot of money. Then you need to go to the lawyer to sign those documents. I found no way to avoid this.
xmlbuddy Send private email
Monday, December 28, 2015
 
 
@xmlbuddy: I'd expect notarized translations to be required for an EV cert, but not a regular code signing one.
Dmitry Leskov @Home Send private email
Friday, January 01, 2016
 
 
BTW, if anyone has tried this, it's broken for MSI installers. I have an EXE bootstrapper that checks prerequisites, then downloads and runs the MSI installer. The problem is that the MSI file format does not support double signing. So in the end, you can't support both SHA1 systems (XP, Vista) and SHA2 systems with one installer if you're using MSI's.
Nicholas Hebb Send private email
Monday, January 04, 2016
 
 
There is some more information here:

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

But I was more confused after reading it.

The opening sentence is:

" Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust any code that is signed with a SHA-1 code signing certificate and that contains a timestamp value greater than January 1, 2016."

Which seems fairly unequivocal. But then it says:

" This restriction will not apply to the timestamp certificate or the certificate’s signature hash until January 1, 2017, after which time, Windows will treat any SHA-1 timestamp or signature hash as if the code did not have a timestamp signature."

I'm not sure what that 2nd sentence means in practical terms.
Andy Brice Send private email
Tuesday, January 05, 2016
 
 
What I think that it means, and I hope I can explain it in English also, is that if the code has been signed *after* January 1st 2016 using SHA-1 the OS does no longer treat it as signed. If the SHA-1 signature was applied before January 1st 2016 it is still valid until December 31st 2016.
xmlbuddy Send private email
Tuesday, January 05, 2016
 
 
I can't confirm that anything was changed since 1st January. SHA-1 signatures still seem to work. I built new version of my own software and tried on Win 8.1 and Win 10. Both freshly updated. It installs without any warnings. Also, when I right click I see SHA-1 signature, that it was signed today (5/1/2016), and Windows doesn't seem to mind.

I searched for other software which had recent update and found CC Proxy:

http://www.youngzsoft.net/ccproxy/proxy-server-download.htm

It's signed with SHA-1 after New Year and works without any problems. So is this all FUD? Or does Windows contain some whitelist of existing publishers/certificates which will continue to work?
Suka Send private email
Tuesday, January 05, 2016
 
 
+1 for xmlbuddy on the interpretation.

The good news is that I checked Google Analytics, and only ~3% of my site visitors are running Vista or older. Plus, the people who run older OS's tend to convert much lower than people with new systems.
Nicholas Hebb Send private email
Wednesday, January 06, 2016
 
 
Just lol-ed when installing Skitch from Evernote. Even big software has not been signed with SHA-2.
barnacleboy Send private email
Friday, January 15, 2016
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz