2025-01-24 19:15 UTC-0300 Mario Wan Stadnik (wanstadnik gmail.com)

281 views
Skip to first unread message

Mario

unread,
Jan 24, 2025, 5:26:04 PM1/24/25
to Harbour Developers
2025-01-24 19:15 UTC-0300 Mario Wan Stadnik (wanstadnik gmail.com)
  * utils/hbmk2/hbmk2.prg
    * http://timestamp.verisign.com/scripts/timstamp.dll has limped
      along for the last few years and had been working in a sort
      of depreciated state, but the new owners of the certificate
      issuing business, DigiCert, have issued a migration alert so
      we are switching to: http://timestamp.comodoca.com/authenticode
    ; It allows the user to choose the algorithm: SHA256 or SH1

Mario

unread,
Jan 24, 2025, 5:32:48 PM1/24/25
to Harbour Developers
Hi, I hope I am doing it right. 
I followed the guidelines to submit a pull request and I am waiting someone to take a look and merge it, please.
It is just an updated address for the sign tool timestamp. 
It is broken since a while - seems like none is using that feature (to sign code using hbmk2)
I use it...
Thank you!

Mario

Aleksander Czajczynski

unread,
Jan 25, 2025, 3:54:08 AM1/25/25
to harbou...@googlegroups.com
Hello!

Mario wrote:
Hi, I hope I am doing it right. 
I followed the guidelines to submit a pull request and I am waiting someone to take a look and merge it, please.
It is just an updated address for the sign tool timestamp. 
It is broken since a while - seems like none is using that feature (to sign code using hbmk2)
I use it...
Thank you!
It says on the website, that it will generate RSA-SHA384 stamp by default on this address (i'd have to test to confirm).

Does http://timestamp.digicert.com/ operate too?

Mario
On Friday, January 24, 2025 at 7:26:04 PM UTC-3 Mario wrote:
2025-01-24 19:15 UTC-0300 Mario Wan Stadnik (wanstadnik gmail.com)
  * utils/hbmk2/hbmk2.prg
    * http://timestamp.verisign.com/scripts/timstamp.dll has limped
      along for the last few years and had been working in a sort
      of depreciated state, but the new owners of the certificate
      issuing business, DigiCert, have issued a migration alert so
      we are switching to: http://timestamp.comodoca.com/authenticode
    ; It allows the user to choose the algorithm: SHA256 or SH1
--
You received this message because you are subscribed to the Google Groups "Harbour Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to harbour-deve...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/a74b1f99-05ca-4884-b62f-68a5973691d4n%40googlegroups.com.

Alexandre Cavalcante Alencar

unread,
Jan 25, 2025, 1:57:12 PM1/25/25
to harbou...@googlegroups.com

To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/6794A42E.9030607%40fki.pl.

Mario

unread,
Jan 25, 2025, 2:35:29 PM1/25/25
to harbou...@googlegroups.com
Hi Aleksander,

Thanks for jumping on this.
The results are exactly the same. Both are good and traditional options.

Anyway you have to select the option for algorithm and I tested SHA1, SHA256 and SHA384 (all good)

Here is how I tested with the sign tool both in x86 and x86_64 under Windows 10 Pro:

Comodo / App x86:
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.comodoca.com/authenticode" /a /fd SHA1 ..\APPx86_comodo_SHA1.exe
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.comodoca.com/authenticode" /a /fd SHA256 ..\APPx86_comodo_SHA256.exe
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.comodoca.com/authenticode" /a /fd SHA384 ..\APPx86_comodo_SHA384.exe

Comodo / App x86_64:
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.comodoca.com/authenticode" /a /fd SHA1 ..\APPx86_64_comodo_SHA1.exe
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.comodoca.com/authenticode" /a /fd SHA256 ..\APPx86_64_comodo_SHA256.exe
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.comodoca.com/authenticode" /a /fd SHA384 ..\APPx86_64_comodo_SHA384.exe

Digicert / App x86:
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.digicert.com" /a /fd SHA1 ..\APPx86_digicert_SHA1.exe
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.digicert.com" /a /fd SHA256 ..\APPx86_digicert_SHA256.exe
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.digicert.com" /a /fd SHA384 ..\APPx86_digicert_SHA384.exe

Digicert / App x86_64:
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.digicert.com" /a /fd SHA1 ..\APPx86_64_digicert_SHA1.exe
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.digicert.com" /a /fd SHA256 ..\APPx86_64_digicert_SHA256.exe
signtool sign /v /f MyCertificate.pfx /p MyPassword /t "http://timestamp.digicert.com" /a /fd SHA384 ..\APPx86_64_digicert_SHA384.exe

All worked just fine. In any of the above my App size increased 7 Kb

This is how I use inside my proj.hbp file:

{win}-sign=.\certificates\MyCertificate.pfx
{win}-signpw=MyPassword
{win}-signflag=-v
{win}-signflag=-a
{win}-signflag=-fd
{win}-signflag=SHA256

So the definition of the algorithm is a required information so I have to add it anyway. 



You received this message because you are subscribed to a topic in the Google Groups "Harbour Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/harbour-devel/Vh3GzZgpk4M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to harbour-deve...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/6794A42E.9030607%40fki.pl.

Aleksander Czajczynski

unread,
Jan 26, 2025, 6:03:50 AM1/26/25
to harbou...@googlegroups.com
Hello!

signtools /fd SHA* parameter specifies the hashing length for the signature, not for the timestamp, I think. For keeping up with the tradition, maybe let's just put: "http://timestamp.digicert.com".

I'm interested in codesigning topic of course, but this seems not be Harbour 3.2 community's highly requested feature.

Best regards, Aleksander

Maurizio la Cecilia

unread,
Jan 26, 2025, 7:33:14 AM1/26/25
to Harbour developers group
Hum, I don't know if someone else had this issue, but frequently my Harbour executable is detected as positive by some antivirus. 
Thus I'm very interested in signing code, mainly if some free service exists. 
I'll stay tuned. 
Thanks to all. 
Best regards 
--
Maurizio 

--
You received this message because you are subscribed to the Google Groups "Harbour Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to harbour-deve...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/67961415.7020009%40fki.pl.

Alexandre Cavalcante Alencar

unread,
Jan 26, 2025, 12:43:09 PM1/26/25
to harbou...@googlegroups.com
Maurizio,

AFAIK, no CA offers free code signing certificates, so you would have to buy an authenticode-enabled certificate ($100 - 1,000+) from one of the CAs in Microsoft Authenticode Program.

TL;DR
- Needs a valid authenticode certificate
- Timestamp must use SHA-256 or better. SHA1 is not supported anymore
- It reduces false-positives, but would not rule-out being (mis)flagged by AV/Anti-malware.
- Reduces Windows UAC prompts

Reference


Alexandre Alencar
AWS CSA-PRO, COBIT, ITIL, CSM, LPI, MCP-I

Mario

unread,
Jan 26, 2025, 2:41:07 PM1/26/25
to harbou...@googlegroups.com
Hello to all,

Alexander, you are right, let's keep the tradition:  "http://timestamp.digicert.com"
I am not sure how to do it... maybe discard the last change and do it again with the new address?

Maurizio, I have the same issue but a possible "solution":
As Alexandre mentioned,  code signing reduces the problem but at the same time it is expensive
I've created my own certificate but I think it has little value :) but if you do yours you could manually import it into the Windows certificate store of the computers where you plan to use your signed code (only once) - so it is not a bad idea. At least a very inexpensive one ;)
Follow the steps adapting to your environment and data to create your own then you can use on your .hbp files (only Windows and Darwin):

{win}-sign=MyCertificate.pfx

{win}-signpw=MyPassword
{win}-signflag=-v
{win}-signflag=-a
{win}-signflag=-fd
{win}-signflag=SHA256


It will do the trick!

Best regards,

Mario


You received this message because you are subscribed to a topic in the Google Groups "Harbour Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/harbour-devel/Vh3GzZgpk4M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to harbour-deve...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/CANRsp%2BuroBwCPFfijwfaAqffHO%3DHS282Rynu4MyBTSxkkAB6xw%40mail.gmail.com.

Maurizio la Cecilia

unread,
Jan 26, 2025, 4:53:43 PM1/26/25
to Harbour developers group
Hi Mario,
your solution is very smart. 
It could be perfect if the certificate could be added before the executable copy at install time. 
I'll try to find a way, if suitable, to add this feature to Inno Setup script. 
Thanks a lot for your suggestions. 
--
Maurizio 

To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/CAOK9witBki3A7%2B%3D0CYW7mAs71qGy9LK56owKbeRo3pLNaqrV2w%40mail.gmail.com.

Mario

unread,
Jan 26, 2025, 4:58:06 PM1/26/25
to harbou...@googlegroups.com
Friends, how do I revert the changes and re-submit changes in github?
I tried to revert but I was unsuccessful... sorry I am learning how to use github.
Anyone help me, please?
Thanks

Mario

To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/CAGDVDAh2H2zS0-n5L4bvjnvNioMAA0txoysGy-9awsezgHqf0w%40mail.gmail.com.

Aleksander Czajczynski

unread,
Jan 27, 2025, 4:25:52 AM1/27/25
to harbou...@googlegroups.com
Hello!

I've pulled it in anyway, because changing url to another otherwise
would need more testing. Alternating between /t and /tr signtool.exe
options switching between Authenticode and RFC3161, specifying minimum
version that supports the latter.

Mario wrote:
> Friends, how do I revert the changes and re-submit changes in github?
> I tried to revert but I was unsuccessful... sorry I am learning how to
> use github.
> Anyone help me, please?
I saw you were working on the main branch of your fork, the get rid of
some changes:
git reset HEAD~1 (locally)
redo your modifications
git commit
git push -f (to force overwriting history on GitHub)

Best regards, Aleksander Czajczyński


Mario

unread,
Jan 27, 2025, 9:16:15 AM1/27/25
to harbou...@googlegroups.com
You are right.

Thanks for helping me with github. It's a great tool indeed.

Regards,

Mario Wan Stadnik

--
You received this message because you are subscribed to a topic in the Google Groups "Harbour Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/harbour-devel/Vh3GzZgpk4M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to harbour-deve...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/67974E9B.50007%40fki.pl.

Mario

unread,
Feb 10, 2025, 12:19:46 PM2/10/25
to Harbour Developers
Hi Maurizio,

Yes, and it's also very inexpensive.

This solves two problems, the first being that it stops scaring the end user with messages that the application is a risk to the system (because it is unknown due to the lack of a signature) and the second being that it is obviously very cost-effective.

Have you found a way to automate the installation of the certificate on the end user?

-Mario

Maurizio la Cecilia

unread,
Feb 10, 2025, 2:10:41 PM2/10/25
to Harbour developers group
Hi Mario,
yes I found the way to test at install time if a valid certificate exists on client side and, if not present, to generate a new one and store it. 
A short InnoSetup script invoking Powershell does the job. 
Since self signing the executable and the installer no more alerts were issued. 
Thanks a lot for your suggestions, let me know if I could be useful. 
Best regards 
--
Maurizio 

To view this discussion visit https://groups.google.com/d/msgid/harbour-devel/e9d7d05d-e3bb-4a0a-917a-d86f9c416087n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages