none
SHA256 Code Signing

    Question

  • I have a couple of questions about signing code (DLL/EXE/MSI) that I don't fully understand in relation to the SHA256 requirement for 2016.

    I have a SHA256 certificate and I'm using signtool with the /fd SHA265 to make sure the SHA265 signing algorithm is used. All seems to work fine, but..

    1) The timestamp certificates that I'm getting back from pretty much ALL the popular timestamp servers are still giving me SHA1 certificates even when specifying SHA256 with the /td option in signtool. Does the countersigned timestamp certificate need to be SHA256 as well to meet the requirement?

    2) I don't really care about Windows XP, but what's the deal with Vista? If I properties a SHA256 signed file, Vista machines will fail to verify the signature. I've read conflicting information on whether this should be possible with a Windows patch or not. The only Windows patch I found was to add the support for Windows 7/2008, but nothing at all for Vista. 

    Thanks for your input.

    Jay Schwegler

    Wednesday, January 6, 2016 10:13 PM

Answers

All replies

  • Hi jschweg,

    This forum is discuss Visual Studio WPF/SL Designer, Visual Studio Guidance Automation Toolkit, Developer Documentation and Help System, and Visual Studio Editor.

    Your problem is relate to signing code, not Visual Studio IDE problem. I will move this thread to an user forum. Thanks for your understanding.

    Best Regards,
    Weiwei

    Thursday, January 7, 2016 9:01 AM
  • You might try over here.

    https://social.technet.microsoft.com/Forums/windowsserver/en-Us/home?forum=winserversecurity

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, January 7, 2016 1:46 PM
    Moderator
  • Thanks for the response!

    I was hoping that there was some sort of general development / Visual Studio forum where this could go since the only folks signing code like this are developers. I'm not sure (and I could be wrong) if this would work in a general Windows Server forum


    Jay Schwegler

    Thursday, January 7, 2016 2:20 PM
  • Sure you can also try them over there.

    https://social.msdn.microsoft.com/Forums/vstudio/en-us/home?forum=visualstudiogeneral

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, January 7, 2016 2:50 PM
    Moderator
  • Wasn't the VS Studio General Forum where this thread as originally posted and got moved? I may have messed up and posted it elsewhere by accident.

    Jay Schwegler

    Thursday, January 7, 2016 3:16 PM
  • There used to be an audit trail when threads got moved but unfortunately they removed that feature a few years ago but looking above it looks like it may have been in WPF forum.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, January 7, 2016 3:19 PM
    Moderator