[wix-users] Code Signing SHA-1/2
John Cooper
JoCooper at jackhenry.com
Mon Feb 15 07:15:20 PST 2016
Our signing certs have all been moved from SHA1. However, even the latest signtool.exe will still sign with a SHA1 hash by default. To get something other than a SHA1 hash, the /fd flag has to be passed with an appropriate hash. For our Symantec cert, that is SHA256, SHA384, or SHA512.
--
John Merryweather Cooper
Senior Software Engineer | Integration Development Group | Enterprise Notification Service
Jack Henry & Associates, Inc.® | Lenexa, KS 66214 | Ext: 431050 |JoCooper at jackhenry.com
-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Christopher Painter
Sent: Monday, February 15, 2016 8:44 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] Code Signing SHA-1/2
The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
I recently came across this article and I was wondering if anyone has parsed it for current best practices?
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx
I noticed that the latest 3.11 weekly builds are still signed with SHA-1 certs and I'm wondering if that's good or not.
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.
More information about the wix-users
mailing list