I get the feeling that SHA1 for both Certificate and File Digest is required for full backwards compatibility all the way to XP and Server 2003 as SHA256 is/was not supported there. SHA1 or SHA256 for the file digest seems to be fine as long as the Certificate is SHA256.
I don’t believe it matters. However, Windows 10 is new and Windows 7 will be eventually be retired. If you like Windows 10 (I like it as much as Win7 and way more than Win8) it might be worth it to move it over.
I seem to be unable to find the signtool download for Windows 10. In windows 7 you could get it as part of the Windows 7 SDK: http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx but when I tried the similar procedure (windows 10 SDK) I did not seem to end up with a copy of signtool installed. Hmm.
To get signtool.exe, I tried to install ‘just the tools’ from Visual Studio onto a clean (ish) machine, and failed. (unable to find registered folder)
But I did a search on a few of my other machines and find I already have a copy ‘alongside’ a great little program called VBSEdit
(Whether it was supposed to be part of the install or not, I’m not sure, but I’m sure didn’t add it to the folder myself…)
Personally, having heard from Ksign, I believe that the certificate I bought in August from Comodo is already SHA256, and that only the digest produced by KSign is SHA1.
But because the certificate is SHA256, things are OK, and no need to panic.
As Michel reported, (and I have also heard), KSign is being redone, with a guesstimated delivery time of next week.
I dont have any plans to ship a new build before then, so I’m happy to wait, and so far haven’t heard from any frustrated users.
Out of curiosity, if the validation failed because of the SHA1 digest, what would the user experience be?
The same as it is if unsigned? (eg ‘Microsoft recommends you delete the app and declare war on the developer’)
or
a simple message that says something like ‘Oh dear… SHA1? Are you sure you know what you’re doing?’
[quote=239684:@Michael Diehr]The link to download Visual Studio Express is:
However this also installs large portions of Visual Studio Express which total about 12 GB! All for a couple of <1MB tools!
But that didn’t give me the tools…[/quote]
Wow, they sure have messed up the SDK in Windows 10. I got it running on my Windows 10 machine by:
[quote=239755:@Christoph De Vocht]Does the signtool.exe works on its own (read no need for dll etc…)?
If yes, maybe someone can share it here so we do not need to install everything.[/quote]
not even considering any pirating issues - would you trust a non-official signtool to sign your EXE with your Certificate…? I for sure wouldn’t.
I was hoping someone here can provide us that .exe - I think it would be trustful. And I doubt it is considered piraty because it is a free took (correct me if I am wrong)
[quote=239783:@Jeff Tullin]PM me.
Or download the evaluation of VBSEdit… it certainly used to contain signtool.exe in a 9Mb installer[/quote]
You can start the Setup (downloaded from the Microsoft Website), search the Windows Temp Folders and copy the signtool.exe from there and cancel the Setup again. if you have no VM.
[quote=239755:@Christoph De Vocht]Does the signtool.exe works on its own (read no need for dll etc…)?
If yes, maybe someone can share it here so we do not need to install everything.[/quote]
Yes, I tested and they do work stand-alone. If you are using a VM (Fusion, Parallels) you can use the “Snapshot” feature: Take a snapshot of your VM, install the tools (and all the extra junk), then copy the files you need and revert to your prior snapshot.
Install “Application Verifier”, “Windows App Certification Kit”, “MSI Tools” (in total 202 MB on my system)
The signtool is not included in the path but is available in C:\Program Files (x86)\Windows Kits\10\bin\x64[/quote]
I have tried this 3 times now and it doesn’t work: All I see in C:\Program Files(x86)\WIndows Kits\10\ is Catalogs, Debuggers, and Licenses (no “bin” folder at all).
I’m running Windows 10 x64 but am on the Insider Preview Builds channel. I wonder if that’s relevant?