Page 1 of 2
blog: SHA1 christmas spoiler
Posted: 2015 Dec 20, 09:36
by nikos
here's the comment area for today's blog post found at
http://zabkat.com/blog/code-signing-sha1-armageddon.htm
(for software developers and distributors)
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 20, 17:36
by wasker
So, x2 runs all the way to 98, right? Do you actually test it on versions that old? Or even on XP SP3 for that matter?
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 21, 06:09
by nikos
actually I do everytime in virtual machines. I cannot say that it is thorough testing but it is testing.
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 22, 07:45
by GertRijsGDP
Thanks for the warning Nikos.
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 23, 12:27
by Don
Yeah, thanks for the warning! Cool move.
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 23, 13:52
by kalons
The timestamp cert for your SHA256 cert will still be SHA1 when using that time stamp server. We won't know until Jan. 1 if that's a problem, but see here for a solution:
https://stackoverflow.com/questions/306 ... de-signing
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 24, 06:20
by nikos
if you pay close attention, a different timestamp server is used for sha2 signing, so there is no problem here. Also note the use of /td sha256
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 24, 14:31
by kalons
I realize that, but that timestamp server's certificate is SHA1. /td specifies the digest algorithm used by the server but doesn't determine the certificate of the server itself (read the linked article again -- the same question applies to
http://timestamp.comodoca.com/rfc3161).
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 27, 05:38
by nikos
this server isn't https, so where does the SHA1 come into play? Anyway I am not an expert so If you know the "correct" timestamp server to use please let us know
ps ok, I finally realize what you're talking about, the countersign is based on SHA1. I asked comodo about it and they don't have a straight answer. But it looks like one can use the
globalsign timestamp server which understands SHA2
thanks for the tip, I will update the article
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 28, 08:23
by kalons
Correct -- I'm the person that answered the Stack Overflow question and was pointing out the same thing to you.
Re: blog: SHA1 christmas spoiler
Posted: 2015 Dec 29, 06:34
by nikos
I've just heard from comodo that they are working to get the SHA2 countersign problem sorted "by the end of the year", we'll see!
Re: blog: SHA1 christmas spoiler
Posted: 2016 Jan 06, 07:34
by dmcgloin
Thanks for the article.
I tried dual signing (SHA1 + SHA256) for a C# executable built with Visual Studio 2015.
The executable won't even launch on Windows 10 if the SHA1 signature is present.
So at least for binaries, it seems dual signing has limited/no value.
I expected older systems would look at the SHA1 certs while newer OS versions would know to look for the SHA256 signature.
So if you want to support older and newer OS versions, it seems like you have to distribute two copies of all your executables: 1 set signed using SHA1, the other signed using SHA256.
Also noting the beautiful irony that binaries without code signatures work flawlessly.
Re: blog: SHA1 christmas spoiler
Posted: 2016 Jan 06, 08:17
by nikos
I was going to wait a few days for trying things out in 2016, but your post hastened me up
on my win10, I see no problem whatsoever, even new SHA1 signatures are not causing any bother
so either your system has an update that mine doesn't or you are doing your signatures differently
you can try my freshly dual signed program (run it as administrator to see what happens).
in the worst case I would have expected to see a warning, not a denial of execution!?
here is the download link (ignore the assertion errors
http://www.zabkat.com/test/double2016.zip
ps. on second thought could your AV be the culprit?
pps. @kalons, comodo finally fixed their rfc3161 timestamp server as promised
Re: blog: SHA1 christmas spoiler
Posted: 2016 Jan 07, 01:48
by dmcgloin
OK. I tried running the exe. After the assertions, I got a "core dumped" alert. Assuming this means the test passed
Anyway, I guess I don't know what's going on. I don't have any custom AV - just using built-in Windows 10. Had a colleague looking over my shoulder to make sure I wasn't doing something stupid.
Here's the heart of my signing script:
Code: Select all
set SignToolExe="%programfiles%\Windows Kits\8.1\bin\x86\signtool.exe"
set TimeStampServer="http://timestamp.verisign.com/scripts/timstamp.dll"
set TimeStampServerRFC3161="http://timestamp.geotrust.com/tsa"
echo Adding primary Authenticode signature using SHA1...
%SignToolExe% sign /sha1 3412942a2b84570fb5255e3234538fcd5243014c /fd sha1 /t %TimeStampServer% %1
if errorlevel 1 goto FAIL
echo Adding secondary Authenticode signature using SHA256...
%SignToolExe% sign /sha1 3412942a2b84570fb5255e3234538fcd5243014c /as /fd sha256 /tr %TimeStampServerRFC3161% %1
if errorlevel 1 goto FAIL
echo Verifying all Authenticode signatures...
%SignToolExe% verify /pa /a /all %1
if errorlevel 1 goto FAIL
I'm using Geotrust. Maybe that's a problem.
Going to experiment further. Will get back to you on this.
Re: blog: SHA1 christmas spoiler
Posted: 2016 Jan 07, 02:11
by dmcgloin
Ran the same test and it worked this time: no problem launching exe.
Clearly I must have done something wrong, but I'm just not sure what.
In any case, it looks like dual-signing is likely fine.
Sorry for the confusion.