Remove From My Forums

Digital Certificate sha-1 to sha-2 switch questions....

Question
0

Sign in to vote
Hi all,

Not sure if this is the correct forum for these types of questions, but here goes.

We've recently switched to the newer, recommended code signing certificate, which I use during installation package compiles with InstallShield 2015. For most of our legacy products the switch seemed to work without incident.

However, for our newer web product, I now get file signing errors when I compile the install with the newer certificate. I found an InstallShield post that indicated that some files cannot be signed by the new sha-2 hash, whatever that means. I didn't run the install build to completion to see what other file types were effected, but I did notice that javascript (.js) files no longer sign without error.

First, is there a list somewhere of files that can no longer be signed using the new certificate type. Secondly, is there anything I can do about this?

I should say that I am able to sign the .js file(s) using the new certificate through SignTool on the command line. It then appears as sha1 on the Digital Signature tab of the file's properties.

InstallShield does not support dual signing as of yet, so I'm wondering if I have to sign effected files with sha-1 prior to compiling my install.

If signing the .js files beforehand is what I have to do, I'm wondering what that will mean in the long run if they are signed with the sha1 hash since that is deprecated.

It doesn't seem to me that distributing unsigned javascript files would be a good thing. ??

Any help/pointers would be greatly appreciated!

Thanks in Advance!!
- Edited by NitLions Friday, May 13, 2016 3:33 PM
Friday, May 13, 2016 2:45 PM

Answers

0

Sign in to vote
I personally don't see any reason to sign JS files in web applications.

1) JS scripts are executed on a client side (in web browser), not client. You should sign only code that executes on server (code behind DLLs, for example). In addition, you should not sign the code you don't own (which came from external packages).

2) by signing them, you will signifcantly increase web trafic, as each JS file will get about +10kb. In the case of 100 JS files (even if they are few bytes) you will get 1MB of server traffic. If you use JS minification tools, signature will be stripped out and client will never receive them.

3) I'm pretty sure that web browser will not validate JS signatures if they are present, browser will treat them as regular comments.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.
- Proposed as answer by Steven_Lee0510 Sunday, June 12, 2016 5:57 PM
- Marked as answer by Steven_Lee0510 Monday, June 13, 2016 2:51 AM
Wednesday, May 18, 2016 6:03 AM

All replies

0

Sign in to vote

I don't know why InstallShield claims that some files cannot be signed with SHA2, but you can manually sign .js files with SHA2 by using Set-AuthenticodeSignature PowerShell cmdlet.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.

Sunday, May 15, 2016 6:33 PM
0

Sign in to vote

I've proven I cannot sign the .js files using the sha256 parameter for signtool as it errors. If I sign the .js file via command line without the sha256 parameter and let it default to sha1, the file signs successfully.

I will play around with the PowerShell cmdlet to see if I can sign it using the sha256 hash.

Sunday, May 15, 2016 7:04 PM
0

Sign in to vote

I tried signing the .js files with PowerShell's set-authenticodesignature cmdlet, but it errors for both sha1 (defalut with PowerShell 2.0) and sha256 passed using the -hashalgorithm parameter.

I can sign and .exe without issue for either.

??

Monday, May 16, 2016 1:48 PM
0

Sign in to vote

can you check the encodings of your .js files? It appears that they are stored in BigEndian Unicode which isn't supported by Set-AuthenticodeSignature. Try to save your .js in either, Unicode or ANSI and try again.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.

Monday, May 16, 2016 7:55 PM
0

Sign in to vote

Is that something that can be set up in the projects? I believe the majority of the .js files in the app are the result of nuget packages. I'm not sure if there is a way to force a certain file format when building the packages or not. ??

Monday, May 16, 2016 8:07 PM
0

Sign in to vote

So, as you may have gathered, I'm no cert expert, but here is where I'm at right now with our web app. It appears the majority of our files and installation packages are signed sha256.

As of now, I don't have the ability to sign the .js files sha256, but I can sign them sha1 with our build script tool (but not with Powershell - I haven't looked into how the files are encoded yet).

So, the majority of files and all install packages are sha256, .js files are sha1. Is this bad or OK? What, if any runtime pitfalls might we encounter involving .js files?

Tuesday, May 17, 2016 5:57 PM
0

Sign in to vote
I personally don't see any reason to sign JS files in web applications.

1) JS scripts are executed on a client side (in web browser), not client. You should sign only code that executes on server (code behind DLLs, for example). In addition, you should not sign the code you don't own (which came from external packages).

2) by signing them, you will signifcantly increase web trafic, as each JS file will get about +10kb. In the case of 100 JS files (even if they are few bytes) you will get 1MB of server traffic. If you use JS minification tools, signature will be stripped out and client will never receive them.

3) I'm pretty sure that web browser will not validate JS signatures if they are present, browser will treat them as regular comments.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.
- Proposed as answer by Steven_Lee0510 Sunday, June 12, 2016 5:57 PM
- Marked as answer by Steven_Lee0510 Monday, June 13, 2016 2:51 AM
Wednesday, May 18, 2016 6:03 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Digital Certificate sha-1 to sha-2 switch questions....

Question

Answers

All replies