Didier Stevens

Tuesday 24 November 2015

Authenticode And Timestamping And sha256

Filed under: Encryption — Didier Stevens @ 0:00

I have a couple of how-to posts on digital signatures, like this code signing post. Let me revisit this topic now that Microsoft announced some upcoming changes to code signing.

I use signtool.exe that came with Visual Studio 2013 in my examples. Here is how to use signtool.exe from the command-line to sign an executable:

20151123-204917

FYI: in my case, I use option /a because I have more than one code signing certificate and I let signtool decide which one to use (option /a). But if you have only one code signing cert, you don’t need to use option /a.

As you can see, the version of signtool.exe I use (6.3.9600.16384) still uses sha1 by default.

20151123-204945

To use sha256 as digest algorithm (since Microsoft will deprecate sha1), use option /fd sha256, like this:

20151123-205150

20151123-205230

When we look at the details of the signature, we see that there is no Signing time or Countersignatures:

20151123-205310

The signature is valid, because we are still in the certificate validity period:

20151123-205524

But once we are outside the certificate validity period, the signature is no longer valid:

20151123-205921

And this is because a countersignature from a timestamping service is missing. A countersignature can be added with option /tr and the URL of a timestamping service, like this one:

20151123-210005

Correction: use this URL for sha256 timestamping: http://timestamp.globalsign.com/?signature=sha2

Option /tr URL specifies a timestamping service that supports the RFC 3161 protocol.

And now the signature remains valid, even after the code signing certificate has expired:

20151123-210052

To be sure that the timestamping service uses sha256, we can request this with option /td sha256:

20151123-210426

Conclusion: always use a timestamping service when signing code, this way your signature will not expire.

Remark: code signing and timestamping are 2 different operations. There is no requirement to execute these operation with a single command. You can also timestamp a signed executable like this:

20151123-211435

First command: sign

Second command: timestamp

And you don’t need a code signing certificate to timestamp a signed executable. You can take any executable with an embedded signature, and add a new timestamping signature with this signtool.exe timestamp command. Why do I mention this? This will become clear in a next post, where we take a closer look at Microsoft’s sha256 code signing announcement.

A last remark: as mentioned, option /a lets signtool.exe decide which certificate (from the certificate store) to use for the code signing (in case you have more than one code signing certificate). But if you want to explicitly select the code signing certificate to use, you can use option /sha1 with the sha1 fingerprint of the certificate you want to use. Important: /sha1 is a method to select a certificate, it does NOT instruct signtool to use the sha1 algorithm for the signature.

12 Comments »

  1. […] Authenticode And Timestamping And sha256 […]

    Pingback by Overview of Content Published In November | Didier Stevens — Friday 11 December 2015 @ 0:01

  2. […] It will only happen with executables with a “Mark of the Web” attribute and without a timestamp or a timestamp after […]

    Pingback by SHA256 Code Signing and Microsoft | Didier Stevens — Tuesday 29 December 2015 @ 10:28

  3. Even with /td sha256, it seems that the timestamp signature still uses sha1… any idea about that?

    Comment by Thomas Levesque — Monday 4 January 2016 @ 12:36

  4. with /td you request a digest algorithm, but in the end it’s the timestampserver that selects the algo.

    Comment by Didier Stevens — Monday 4 January 2016 @ 12:42

  5. OK, thanks Didier. Isn’t it an issue, though? If SHA1 is considered vulnerable, then an attacker could fake the timestamp to pretend the file was signed during the validity period of an expired certificate, right? Is there any timestamp server that supports SHA256 ? I tried Globalsign and Geotrust, both of them use SHA1.

    Comment by Thomas Levesque — Monday 4 January 2016 @ 12:46

  6. Did you try /tr http://timestamp.globalsign.com/?signature=sha2 ?

    Comment by Didier Stevens — Monday 4 January 2016 @ 12:46

  7. Did you try /tr http://timestamp.globalsign.com/?signature=sha2 ?

    Comment by Didier Stevens — Monday 4 January 2016 @ 12:47

  8. Just tried, it seems to work as expected. Thanks!

    Comment by Thomas Levesque — Monday 4 January 2016 @ 12:54

  9. If you want to use SHA256 digest for timestamping your URL has to be /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256.

    Comment by Igor Levicki — Monday 11 January 2016 @ 0:31

  10. Great Didier, your blog’s are always reliable. Quoting your blog “To use sha256 as digest algorithm (since Microsoft will deprecate sha1)”
    Did they depricate it or is it still on?

    Comment by Parth — Friday 8 April 2016 @ 19:47

  11. AFAIK the plan I linked to is up to date.

    Comment by Didier Stevens — Sunday 10 April 2016 @ 12:06

  12. […] in Windows 2000 when it  predates that, or stating that only SHA1 is supported when MSFT signtool has supported SHA256 for some time.) There are two major conceptual flaws in this argument: First one is […]

    Pingback by Use and misuse of code-signing (part I) | Random Oracle — Thursday 20 October 2016 @ 1:57


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: