SHA256 Signing Only?

Got a problem you cannot solve? Try here.
simpsonp
Posts: 20
Joined: Sat Oct 30, 2010 3:22 pm

SHA256 Signing Only?

Postby simpsonp » Tue Aug 09, 2022 4:38 am

Hi,

I have double code signing (SHA1 and SHA256) set up and working fine through the IA GUI. I see that many Microsoft executables are now only signed with SHA256. Is it possible to configure IA X15 to only sign SHA256 and not to double code sign SHA1 as well? This would certainly save some time on builds!

Thanks, Peter

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: SHA256 Signing Only?

Postby FrancescoT » Tue Aug 09, 2022 11:48 am

Unfortunately this is currently not possible. I'll forward this request to our devs.

Alternatively instead of signing via Authenticode settings, the only option is with signing the generated installer via Build Events.
About this, below you will find an old post released to support double signing when this was not yet available with IA.
https://www.installaware.com/blog/?p=416

The above approach is not complex, but of course it isn't simple as enabling the automatic signing via Authenticode settings. In addition, the files part of your installation cannot be signed using the above workaround (these should be already signed).

Hope this helps you.
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

simpsonp
Posts: 20
Joined: Sat Oct 30, 2010 3:22 pm

Re: SHA256 Signing Only?

Postby simpsonp » Tue Aug 09, 2022 4:38 pm

Thanks Francesco, I really value the automatic signing of all executables so will stick with double signing for now.

Best wishes, Peter

BartWilson
Posts: 30
Joined: Mon Mar 01, 2021 9:01 am

Re: SHA256 Signing Only?

Postby BartWilson » Wed Aug 17, 2022 9:39 am

I've also asked this question in the past given that the timestamp servers that support sha1 signing are slowly being decommissioned. Thus I ended up doing the build event signing inside of the installer as mentioned in the link provided along with running signtool after installer build to sign the installer .exe.

I was hoping to keep using the automated solution but the timestamp servers provided by the company we purchased the certificate from no longer support sha1. I'm leery about hardcoded timestamp servers in our project given I've had two different ones over the past two years stop working because of the double signing.

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: SHA256 Signing Only?

Postby FrancescoT » Mon Oct 31, 2022 9:05 am

This has been introduced with the latest IA x15 minor update v.32.22.
SHA 256-Only Code Signing (Skip SHA-1)
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

simpsonp
Posts: 20
Joined: Sat Oct 30, 2010 3:22 pm

Re: SHA256 Signing Only?

Postby simpsonp » Wed Nov 02, 2022 1:30 pm

FrancescoT wrote:This has been introduced with the latest IA x15 minor update v.32.22.
SHA 256-Only Code Signing (Skip SHA-1)


Thanks very much Francesco, the new feature is working brilliantly here and has significantly reduced my large project compile time! Please thank the dev team for me, much appreciated.

Best wishes, Peter

JohnGaver
Posts: 67
Joined: Mon Feb 05, 2024 6:15 pm

Re: SHA256 Signing Only?

Postby JohnGaver » Fri Feb 23, 2024 11:54 am

Terrific to hear that, Peter!
John Gaver
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm


Return to “Technical Support”

Who is online

Users browsing this forum: Baidu [Spider] and 44 guests