NT4 and 2000: TC digital signatures not recognized

[MarcinW]

Digitally signed TC files, like Totalcmd.exe, are no longer recognized by Windows NT4 and 2000 as having valid digital signatures (no such problem with TC 8.52a executables).

To see the error, display properties dialog for Totalcmd.exe, go to "Digital signatures" tab, select the item on the list and press "Details" button. The error message is: "The integrity of the certificate that signed this file cannot be guaranteed. The certificate may be corrupted or may have been altered".

I'm not a certificate expert, but I suppose that TC files are signed with some new method now, that is not supported by NT4 and 2000. I suppose that this could help:
- revert to the previous signing method,
- if the new signing method is required for some reason, executables could be signed with two methods simultaneously: new and old.

Regards

[ghisler(Author)]

Microsoft requires that all programs and dlls get an SHA256 signature starting this year. Total Commander uses dual signing with SHA1 and SHA256 hashes as described here:
https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=INFO190&actp=RSS&viewlocale=en_US

According to that description, the signature should be compatible with Windows 2000 (no mention of Windows NT4).

revert to the previous signing method

This is unfortunately impossible because our old certificate has expired.

if the new signing method is required for some reason, executables could be signed with two methods simultaneously: new and old

They are signed with both methods, you can see this in the properties dialog of Windows XP SP3 or newer.

[MarcinW]

They are signed with both methods, you can see this in the properties dialog of Windows XP SP3 or newer.

It seems that Windows 7 is required at least.


I found some info here: http://zabkat.com/blog/code-signing-sha1-armageddon.htm

I was surprised to discover that my existing installer appeared unsigned for anybody running windows XP SP2 and older. For these old systems, the SHA1 signature generated by the new SHA2 certificate I possess does not validate! The properties declare that "The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered". The real cause is that old windows don't have the capability to validate the SHA2 certificate, but to the end user and blissful layman it appears as a dodgy signature. For older windows what you need is an old SHA1 certificate, only you cannot buy them any more, so you (and me) are basically stuffed. On the positive side, end users won't be alerted to such problems unless they try to install on windows XP SP2.

Is this true, that SHA1 certificate can't be obtained anymore?


TC uses Symantec services for signing, so maybe Symantec tech help will be able to help?

Regards

[ghisler(Author)]

It seems that Windows 7 is required at least.

No, at least Windows 7 is required to sign. The signatures should work on older Windows versions too. But the oldest I could get it to work is XP service pack 3...

[MarcinW]

Windows 7 and higher are able to show both signatures in executable properties.

Windows XP SP3 to Windows Vista are able to show only one signature in executable properties, but they recognize it as a valid signature.

Windows XP SP2 and older are able to show only one signature in executable properties, but they DON'T recognize it as a valid signature.

To overcome this third case, old SHA1 certificate is needed (according to the quotation that I pasted above). So the question is: can old SHA1 certificate be still obtained?

Regards

[Horst.Epp]

Windows 7 and higher are able to show both signatures in executable properties.

Windows XP SP3 to Windows Vista are able to show only one signature in executable properties, but they recognize it as a valid signature.

Windows XP SP2 and older are able to show only one signature in executable properties, but they DON'T recognize it as a valid signature.

To overcome this third case, old SHA1 certificate is needed (according to the quotation that I pasted above). So the question is: can old SHA1 certificate be still obtained?

Regards

Why should TC support an XP without SP3 ?

[MVV]

BTW latest TC beta 5 executables seem to have wrong sha256 signature according to Windows 7 file properties dialog.

[ghisler(Author)]

BTW latest TC beta 5 executables seem to have wrong sha256 signature according to Windows 7 file properties dialog.

NOT confirmed. I'm getting "The digital signature is valid" for both SHA1 and SHA256, both totalcmd.exe and totalcmd64.exe. Windows 7 x64.

[MVV]

Maybe it is because PC has no direct internet connection? Please try it on a machine w/o internet. I see the following message for sha256 signatures of both TOTALCMD.exe and TOTALCMD64.exe:

Code: Select all

Одна из подписей другой стороны недействительна. Возможно, файл изменен.

And I've found this message in cryptui.dll.mui file from en-US language (string number is 3362):

Code: Select all

One of the countersignatures is not valid. The file may have been altered.

[Dalai]

2MVV
Do you have Windows Update KB3033929 installed? This is required to make Win7 use the SHA-2 signatures.

But you may be right that signature verification requires an internet connection.

Regards
Dalai

[MarcinW]

@Dalai
TC executables are signed with both signatures: SHA1 and SHA2, so even without KB3033929 update, Windows 7 should be able to accept the signature. The problem is only with Windows XP SP2 and older, because they can only handle old, generic SHA1 signatures, not SHA1 signatures generated by the new SHA2 certificate.

[Dalai]

2MarcinW
MVV explicitly stated about the sha256 (which is SHA-2) signature, hence my note.

Regards
Dalai

[MVV]

Dalai,
I've checked installed updates: yes, KB3033929 is installed on this machine.

BTW I think that w/o this update Windows wouldn't show any signature details at all.

[Dalai]

I've checked installed updates: yes, KB3033929 is installed on this machine.

Well, then it most probably requires an internet connection to verify the signature.

BTW I think that w/o this update Windows wouldn't show any signature details at all.

Yes, it would. It would show/use the SHA-1 signature, if the file has any.

Regards
Dalai

[MVV]

I mean that it wouldn't show details for sha256 signature (file has two signatures: with sha1 and sha256 algorithms).