Jump to content
James Steel

New Code Signing Certificate Recommendations

By James Steel, in General Help

Recommended Posts

rvk    44

rvk
Posted (edited)
Just now, GabrielMoraru said:

Issued by sectigo public code CA R36

Valid from: 2022-04-01 to 2025-04-01

Yep. Then you can take that article down because it's based on old information. You can't do it like that anymore with new issued certificates. And you signed with the old certificate in that article.

 

Also... all you previously signed exes will complain after that date. That's why you need to sign with a timeserver so those exes will keep working, even after the date of expiration of the certificate with which you signed.

 

Edited by rvk

Share this post

Link to post

GabrielMoraru    3

GabrielMoraru
Posted
Just now, rvk said:

That's why you need to sign with a timeserver so those exes will keep working, even after the date of expiration of the certificate with which you signed.

 

Yes. But once the application passes the "smart screen" it will remain "blue" even if the certificate expires.

Share this post

Link to post

rvk    44

rvk
Posted (edited)
1 minute ago, GabrielMoraru said:

Yes. But once the application passes the "smart screen" it will remain "blue" even if the certificate expires.

Not if used on a new computer. 

I don't know what happens on existing computers. But it's never wise to not sign with a timeserver.

 

And maybe it passes smartscreen during download but it will not give you the blue screen when installing but a yellow screen promoting the expired certificate.

 

Edited by rvk

Share this post

Link to post

GabrielMoraru    3

GabrielMoraru
Posted (edited)
2 minutes ago, rvk said:

I don't know what happens on existing computers. But it's never wise to not sign with a timeserver.

Over time the file acquires "trust" on Microsoft's servers. Once it goes in "blue" it will remain like that and it can be installed in new computers.

Of course, this works as long as you don't change the exe file, not even one single bit (pun intended). 🙂

 

 

 

Edited by GabrielMoraru

Share this post

Link to post

rvk    44

rvk
Posted
Just now, GabrielMoraru said:

Over time the file acquires "trust" on Microsoft's servers. Once it goes in "blue" it will remain like that and it can be installed in new computers.

Maybe that's true for the full blue screen (where you need to tap more info). I don't think it's true for the install screens you showed in that article (blue banner for valid and yellow for invalid or not present). At least it shouldn't because that screen shouldn't get the info from smartscreen but directly from the certificate in the executable.

Share this post

Link to post

GabrielMoraru    3

GabrielMoraru
Posted (edited)

Nope. That is old fact:
If an unsigned executable has been downloaded and executed by many users over a long period without triggering significant antivirus or security alerts, systems like Microsoft's SmartScreen may assign it a positive reputation. I was in that situation. I also have a few small "blue" programs now.
________

Anyway, I added a time stamp to my signature/exe now.


What is strange is that I had it before. I remember seeing the date in the "digital signature". This is why I highlight in a precious post that the timestamp is "Not available".


So, I wake up my old backup HDD and dig some old programs and found that up to a certain date some, of them had proper signature.
Probably somewhere along the road I f****d up the command line.....

________

 

Anyway, the discussion started from the fact that you cannot sign today an exe file without an electronic device.
If you certificate is old enough, you can 🙂 

But yes, it will be sad when I will have to upgrade my current certificate.

Edited by GabrielMoraru
  • Like 1

Share this post

Link to post

rvk    44

rvk
Posted
Just now, GabrielMoraru said:

If an unsigned executable has been downloaded and executed by many users over a long period without triggering significant antivirus or security alerts, systems like Microsoft's SmartScreen may assign it a positive reputation.

What color banner does it show then if you start up those programs? I'm sure it's not this (below) blue banner because there is no verified producer name. So it will still show you the other yellow banner. It won't prompt smartscreen because that's something different. But it will probably you that install screen with yellow banner and no certificate warning.

 

OVL-blue.thumb.png.46d2fcb6b725f0c2b0e86a0e1655fc53.png

 

But yes, you need to adjust your workflow now to incorporate the new certificate :classic_biggrin:

Share this post

Link to post

Uwe Raabe    2066

Uwe Raabe
Posted

So your certificate has been issued in 2022 and thus doesn't fall under the new hardware rules. You can use it as long as it is valid, but then you need one of the new ones bound to a hardware token.

  • Like 1

Share this post

Link to post

GabrielMoraru    3

GabrielMoraru
Posted (edited)
13 minutes ago, Uwe Raabe said:

So your certificate has been issued in 2022 and thus doesn't fall under the new hardware rules. You can use it as long as it is valid, but then you need one of the new ones bound to a hardware token.

Yes

 

I knew about the hardware token but I honestly tough that they apply only to the EV (my first certificate was an EV).

Maybe because of the wording?
Even the article that rvk pointed to, uses some strange wording "for standard code signing certificates" instead of the "OV".

 

Basically, those 300 words of that article can be summarized as:

                                                                   "the rules for storing EV now also apply to OV".

Dang it!


_____________

PS: for completeness of information, the missing parameter from the command line to sing an exe file WITH a time server is:

/tr http://timestamp.digicert.com /td SHA256

 

 

😞

Edited by GabrielMoraru
  • Like 1

Share this post

Link to post

Angus Robertson    577

Angus Robertson
Posted
Quote

Issued by sectigo public code CA R36

Valid from: 2022-04-01 to 2025-04-01

That is an old code signing certificate, issued almost three years ago before tokens became mandatory, and will stop working in April.  

 

So if you have renewed it, you are still using the old certificate. 

 

Certificate suppliers almost never supply PCKS12/PF files containing private keys, since you never send your private key to them as part of the certificate signing request, only the public key.  They supply a PEM or DER, which you then combine with your private key to build a PCKS12/PFX containing both.   This was discussed earlier in this topic. 

 

BTW, the Internet Component Suite (available from GetIt) which I support, contains a lot of tools for manipulating and building certificates, including exporting private keys from the Windows Store, issuing signed certificates, and getting free ones from Let's Encrypt. 

 

Angus

 

Share this post

Link to post

Vincent Parrett    770

Vincent Parrett
Posted
3 hours ago, GabrielMoraru said:

Basically, those 300 words of that article can be summarized as:

                                                                   "the rules for storing EV now also apply to OV".

Dang it!

https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

 

Also, if anyone with a Certum token is interested in seeing whether the pin prompt issue can be worked around, please PM about testing it with Signotaur - we have tested with Safenet and Yubikey tokens but I wasn't able to test with Certum - I did buy a token without a certificate thinking I could test with a self signed certificate (like I did with yubikey), however they they refused to let me reset the token (no PUK). 

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing General Help
×