I would like to know what is the impact of dropping SHA1 code signing in favour of SHA256-only code signing as of October 2018. I am currently dual code signing my executables to ensure they will get validated on all versions of Windows starting from Windows 7 / Windows Server 2008 R2. There are many articles online showing code signing requirement matrices, but it's not so clear how many environments in practice won't validate SHA256-only signatures. From what I understood, SHA256 code signing support came in an update in Windows 7, but I don't know if this update is widely installed.
The reason I am asking is because I know it is just a matter of time before SHA256 is supported on all versions of Windows that are not in their end of life, and I am considering using AzureSignTool (https://github.com/vcsjones/AzureSignTool) which doesn't support SHA1 code signing.
it's not so clear how many environments in practice won't validate SHA256-only signatures.
Windows 7 / Windows Server 2008 R2 without KB3033929 will be affected.
Windows 8 or later is OK.
From what I understood, SHA256 code signing support came in an update in Windows 7, but I don't know if this update is widely installed.
I don't know too.
KB3033929 is included automatic Windows Update, but sometimes I get a question about this from Windows7 user (who don't install KB3033929).
Related
I recently took on a task to update our filter driver from building with Visual Studio 2015 -> 2019. I also moved to the latest SDK + WDK 22000 (Which is the new Windows 11 one).
Everything seemed to work except that on Win 7 x64 (with secure boot) boxes the driver no longer loads.. It get's:
Load failed with error: 0x80070241
Windows cannot verify the digital signature for this file. A recent hardware or
software change might have installed a file that is signed incorrectly or damaged,
or that might be malicious software from an unknown source.
Our driver was/is attestation signed by Microsoft via the MS Hardware portal and so it's joint signed by both our company and Microsoft with a SHA-2 signature each. Windows 7 doesn't support SHA-2 certs out of the box however, it was previously working provided:
Windows6.1-KB3033929-x64
Was installed. Something seems to have changed though and Windows 7 x64 boxes can't load the new driver even with the latest updates. They load the 2015 built driver just fine even though the certificates on both look identical. The new driver loads just fine on Windows 10 machines.
Is anyone aware of any other changes which might make this combination fail to load?
I had a similar issue a few months ago, when we decided to switch our certificate provider. I'll share my knowledge to you, hope that going to help.
A while ago, Microsoft used cross-certificates to validate trusted certificate authorities (CA), so the only thing you needed to sign a driver is a proper certificate bought from a trusted CA. But recently validating process had changed and starting from Windows 10 20H2 you are forced to sign your driver through Microsoft Partner Center and all the cross-certificates was deprecated. However, you still need to use cross sign process for all your drivers prior to Windows 10, actually cross signed driver will work up to Windows 10 20H1 if to be correct.
Now back to the Visual Studio. To properly sign driver, you had to set up production certificate to field Properties -> Driver Signing -> General -> Production Certificate, that causes Visual Studio to use signtool utility to sign driver after the build done. As I presume, Visual Studio 2019 process do not use cross-certificate and looks something like:
signtool sign /v <trusted_certificate> /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a <sys_driver_filepath>
But Visual Studio 2013 actually must use cross-certificate and the command it uses is:
signtool sign /v /ac <microsoft_cross_certificate> /tr http://timestamp.digicert.com /a <sys_driver_filepath>
So what is cross-certificate is? It's a special trusted Microsoft certificate that tied to certified CA. List of all the cross-certificates available can be found here https://learn.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing#cross-certificate-list. To take the correct one you need to check your company certificate first. Take a look into root of certification path of your cert, open View Properties -> Details and find Issuer, that's your CA. Now you need to find exact match on cross-certificate list and download it. Note the thumbprint doesn't need to match (revealed in related issue). After all use a proper signtool command to sign your file.
P.S. If your certificate issuer not present on the list, that means your CA inappropriate and you need to get/buy another certificate.
In both iOS and Android I noticed there is a process to privately sign apps before publishing it to their respective stores.
However, in the Windows 10 Universal App Process I haven't found this to be the case. How does Microsoft get away without requiring the developer to sign their app? Or does Visual Studio / dev.windows.com somehow take care of this behind the scenes?
When you generate an app package to upload to the Windows Store (typically via Visual Studio, I'm not actually sure if there's a command line alternative), it is signed by VS. The key is linked to your Windows Store Developer account, which is why you have to sign in to the correct dev account when building a release.
Edit: This is somewhat out of date (VS2012/Windows 8 era), but it goes into more detail (and talks about the alternatives to VS that do seem to exist - MakeCert and Pvk2Pfx): https://msdn.microsoft.com/en-us/library/windows/desktop/jj835832%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Short version:
When I moved to Win7, I manually removed the MDAC 2.7 lines from my .ISM module, built it, and installed my software. It seems to work. Can I trust it?
Longer version:
We have just gone from XP to Windows 7. The software we deliver is C# (.NET 4 framework), targeting XP and Windows 7. It contains a few older COM modules, one of which is written in VB6. (Yes, I would love to rewrite this in a modern technology, but that's not an option at this point.)
I use InstallShield 2010 to build the installer for this package. Building this installer on XP worked with no problems. When I try on Windows 7, it wants MDAC 2.7 as a prerequisite merge module. Microsoft doesn't allow you to download 2.7 anymore, and I'm not going to get it from "Sharewarez R'us" sites.
The error InstallShield gave me when it couldn't find the merge module was: File not found. An error occured merging Module 'MDAC27ENU...'
From what I've read on the web, Windows 7 has the latest-greatest MDAC (now renamed WDAC) already installed. On a whim, I manually deleted the MDAC dependencies from the .ISM, built and installed, and my software seemed to run just fine.
What I think is happening is Win7 is noticing that something in VB6 is using MDAC and the OS is supplying the latest-greatest and it just works. I no longer need the merge module because Windows 7 has WDAC built in. (Can it really be that simple?)
My main question is: can I trust it?
My secondary question is: What about XP deployments? They will still need MDAC 2.7... Does that indicate I can't build on Windows 7 to target XP if I require MDAC 2.7? Please point me in the right direction. Thanks.
You need a comprehensive review (dependency analysis) of your installer. The VB6 runtime and MDAC/WDAC components are all built into windows these days. This is also the case with Windows XP and the latest service pack.
Either your ISM is referencing the MDAC merge module or it's referencing another merge module that has a dependency on the MDAC merge module. Hence why I suggest a complete review.
Without looking at your application I can't give you a 100% answer but odds are that if you implement a setup condition (launch condition) to check for XP latest service pack or newer that you will likely work without installing a bunch of stuff you don't need to be installing.
I'm using Microsoft Visual Studio 2008 (VC9) to compile a project that has a .dsw file. I already have the 2010 and would prefer to use it, but it seems this dsw was built for 2008.
I'd like to compile and produce a binary that's also compatible with Windows 7. My questions:
if I compile with 2008, will the resulting binary be compatible with Windows 7? I'm not sure at which version of VS did Windows 7 support start.
or does this have nothing to do with the VS version, and is instead related to the Windows SDK? If that's the case, can I use VS2008 with a newer Windows SDK?
Can someone please clarify.
Microsoft has a great backwards compatibility "story", so pretty much anything you compile with any version of Visual Studio/Visual C++ will be compatible with Windows 7. The same may not neccessarily apply in reverse, i.e. if you use an API that's introduced in Windows 7, your application will error when you try to run it on prior versions of Windows.
There are a couple of things to consider though:
If the project was originally written to target Windows XP or earlier, it may fall foul of UAC
There are changes to directory structures (such as %systemdrive%\Documents and Settings becoming %systemdrive%\Users) that are fairly well handled by the link that Windows 7 creates in the root of `%systemdrive%, but you may fall foul of these.
VS2010 includes version 7.0 of the Windows SDK and VS2008 does not. You need Windows SDK v7.0 if you want your app to take advantage of Windows 7 features like jump lists.
Since you already have VS2010 installed, you can just change your include file / lib file paths in VS2008 to point to the Windows SDK v7.0 instead of the default one provided with VS2008. This is assuming you need that version of the SDK.
You do not need the latest Windows SDK if you do not plan to use the latest Windows 7 features like ribbons and jump lists. If you are building your app for the lowest-common-denominator OS (i.e. Windows XP), then really you should be fine using VS 2008 with default settings.
The other concern is, if your code was originally written before Windows Vista came out, it is likely that it will not work properly on Windows 7 unless it is run in Administrator mode, which is something you want to avoid. The only way to fix that is to rewrite much of your code to avoid writing to certain protected directories and avoid using certain APIs that require Administrator privileges.
Windows SDK is well backward compatible. See binary compatibility report between Windows 6.0 and Windows 7.0 on x86_64 generated by the abi-compliance-checker tool for the detailed comparison.
Reports for other Windows versions are here: https://abi-laboratory.pro/index.php?view=windows
I want to trial Windows 7 but wondered if anyone who has done so already ran into any issues specifically related to development?
i.e. problems with VS2008, SQL Management Studio and SQL Server, MySQL, PHP etc. etc.
Examples from XP -> Vista: in Vista there was a sudden loss of an SMTP server. And there were initially (if I remember correctly) issues with VS2005 with I seem to remember a patch coming out later to remedy.
EDIT: or on the contrary any big advantages or benefits to developing on Windows 7!
I been using windows 7 for a while now.
I been using VS2008, netbeans, tomcat, sql manager studio, mysql etc...
And i actually find it more stable and faster then windows vista.
There aren't many advantages to developing on Windows 7 before it's released. Most development features are a function of the IDE, not the OS. So, you might want to consider instead if you should be developing on Visual Studio 2010 instead of VS2008. Instead, you're more likely to have compatibility issues, although for the most part, Windows 7 is much more compatible with existing software than Vista was when it was in beta.
There could be one advantage to developing for Windows 7 before it's released -- you have a head start in taking advantage of features that competitors haven't yet, giving you an advantage in the market. That's the theory at least. That assumes you're going to develop something that uses a feature only available in Windows 7. That assumes you wouldn't be better off with the larger number of sales you'd get by developing something that works on existing platforms.
The only issue I've encountered so far involves compiling older vanilla C programs with Visual C++. You're usually presented with an error like so:
mt.exe : general error c101008d:
Failed to write the updated manifest
to the resource of file
".\Release\SomeProgram.exe". The
binary is not a valid Windows image.
You have to add an empty resource file to the solution.
More on the issue here.
I've never gotten any of the new audio stack examples working; thus this question. API works, documentation is... a bit lacking at the moment; sure to be fixed by RTM.
Other than that, Windows 7 has been faster than and just as stable as Vista (2 crashes from RTM, 0 crashes after SP1) was for me. Truly, you should be developing on Vista and testing on Windows 7 RC as a general practice with respect to pre-release operating systems; but I think we'll get away with it just fine in this particular case.
My advice would be to not develop on Windows 7. Note that I don't mean you shouldn't target it as a platform, just that you should be doing your development on a stable platform.
I personally won't trust a new release of Windows (or Linux for that matter) until it's been in the wild as a proper product (not release candidate) for many months. For Windows, I tend to wait until the first real service pack plus a month for all the nigglies to be fixed.
For Linux, I'm still using Ubuntu 8.04 LTS, not 8.1, and certainly not the 9 alphas.
Test machines are another matter, you should always have one at the "latest and greatest" level for testing, but I consider the development machine of prime importance, needing a stable platform.
No problems from my end yet, been working on a c# app with visual studio 2008 x64, and php web apps with dreamweaver cs3 and netbeans.
Windows7 seems to be just vista with more bells and wistles and a bit more responsive, not to sure if to much really change "under the hood" so to speak. But I have nothing to back that statement up with...
I've been using Win7 for a couple of months now and never had a problem. I went straight from XP to 7 and the only problems I faced were related to configuring SourceGear Vault to work with IIS7...other than that,it's been all good.
I use VS 2005, VS 2008, SQL Server 2005, Infragistics NetAdvantage, and a couple of third party components.
Although I haven't seen any advantages for the development side of the applications, I'd recommend you to upgrade to Win7 only for the better feel of a complete OS. I mean XP was good, but I really dig Win7.