* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

SHA1/SHA2 and code signing

With some help from Mitchell Vincent of ksoftware.net I written up what I think software vendors need to know about SHA1/SHA2 and code signing:

http://successfulsoftware.net/2016/01/22/software-sha1-sha2-digital-certificates/
Andy Brice Send private email
Friday, January 22, 2016
 
 
Your first line: "Digital certificates are used to prove who authored a piece of software and that it hasn’t subsequently been tampered with."

That's all good in theory, but what about hacked certs that make software look legit when they're not?  Here's one that allowed malware versions of the Opera browser to be released:

http://www.pcmag.com/article2/0,2817,2421085,00.asp

Certs are not 100% reliable.  At best, it's like asking for a police officer to show you his ID... but you still don't know if that actual ID is real or not.
PSB136 Send private email
Friday, January 22, 2016
 
 
"Certs are not 100% reliable."

Nothing is. Except perhaps death and taxes.
Andy Brice Send private email
Saturday, January 23, 2016
 
 
Very true!  :)
PSB136 Send private email
Saturday, January 23, 2016
 
 
I have SHA1 commodo certifivate and it is still recognized?
Damjan Send private email
Saturday, January 23, 2016
 
 
>I have SHA1 commodo certifivate and it is still recognized?

If you signed with it before 01-Jan-16 it will work until 01-Jan-17.

If you sign with SHA1 after 01-Jan-16 it won't work on Windows 7 or later. Although you might not see ta warning if you haven't run Windows update recently.

Its all in the article.
Andy Brice Send private email
Saturday, January 23, 2016
 
 
Actually I have signed my program today with SHA1 and on my tests at Win7, Win8, Win10 signture is still valid and UAC popups with blue window on startup.
Damjan Send private email
Saturday, January 23, 2016
 
 
The check is performed only for files with the Mark of the Web attribute. This attribute is set in the file when downloaded from the internet by all known browsers.

Here we explain with more details (first part of the article):
http://www.advancedinstaller.com/sha256-digital-signature.html
Bogdan Mitrache Send private email
Friday, January 29, 2016
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz