Category Archives: Microsoft

What every software vendor needs to know about SHA1/SHA2 and digital certificates

TL;DR : If you digitally sign your software you need to make sure you have an SHA2 certificate and use it to dual sign your software with both SHA1 and SHA2 digests.

Digital certificates are used to prove who authored a piece of software and that it hasn’t subsequently been tampered with. Starting with Windows XP SP2 you get a warning message if you download software that that isn’t signed with an appropriate digital certificate. So most commercial software vendors digitally sign their software. We grumble about price gouging by the certificate vendors and the hoops we have to jump through to get a certificate. But, apart from that, the system seems to work tolerably well. However Microsoft have thrown a spanner into the works by deprecating digital certificates using the SHA1 algorithm. I only found out about this a few weeks ago from a fellow vendor’s blog. Thanks for nothing Microsoft. If you are using a digital certificate you purchased more than a year ago, it is probably SHA1. This post explains what this means for software vendors, based on my research so far. I am not an expert on this topic and things seem to be changing fast, so please let me know if there are any mistakes or omissions.

I don’t digitally sign Windows software, does this affect me?

No. But perhaps treat Windows unsigned software warning with some skepticism until Windows software vendors sort this mess out. If you only develop for Mac OS X you can feel a bit smug (at least until the next time Apple nukes your development ecosystem from orbit).

What is SHA1?

SHA1 (Secure Hash Algorithm 1) is a cryptographic hash function that was used in digital certificates issued until recently. SHA1 was known to have weaknesses as far back as 2005. Microsoft (and Google) have finally decided that SHA1 is too vulnerable and SHA2 digital certificates should be used instead.

What happens if my certificate is SHA1?

If you signed your software with a timestamp before 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • It will be treated by Windows 7/8/10 as signed only until 01-Jan-2017.

If you signed your software with a timestamp on or after 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • On Windows 7/8/10 and you will get an ugly “The signature of <file> is corrupt or invalid” or “The signature of this program is corrupt or invalid” error when downloading. If you don’t see this, it might be because you haven’t done a Windows Update recently (shame on you).

Windows seems to treat software that has been downloaded from the web (with ‘mark of the web’) differently. So make sure you test a version of your software you have downloaded from the web. I carried out some tests on 01-Mar-2016 using an SHA1 certificate to sign an executable and then dowload it. It worked ok when downloaded using Firefox or Chrome, but was shown as corrupt when downloaded using IE.

How do I know if my current certificate is SHA1?

  1. Right click on your most recently signed installer and select Properties.
  2. Click on the Digital Signatures tab.
  3. Select the signature and click on the Details button.
  4. Click the View Certificate button.
  5. Click the Details tab.
  6. Look at the Signature hash algorithm.sha1 digital certificate

What should I do if my certificate is SHA1?

If you certificate hasn’t expired you should ask the company you purchased it from to issue you a new SHA2 certificate. They should do this free of charge. In the process they will revoke your SHA1 certificate, so you can no longer use it for signing. You should then use your new SHA2 certificate to double sign new releases (see below).

I have an SHA2 certificate, now what?

If you want a new release to be treated as signed on both Windows XP SP3/Vista and Windows 7/8/10 then you need to double sign the file for SHA1 and SHA2:

signtool.exe sign /f <pfx file> /p <pfx password> /t <sha1 timestamp server> /v <installer>

signtool.exe sign /f <pfx file> /p <pfx password> /tr <sha2 timestamp server> /fd sha256 /td sha256 /as /v <installer>

Note the the order of the above is important (SHA1 first).

The Comodo SHA1 and SHA2 timestamp server is:
http://timestamp.comodoca.com

You can add a /debug flag for verbose output.

If you only want to support Windows 7/8/10, then you can omit the first line (but why would you?).

You can use chktrust.exe to check the signature:

chktrust.exe <installer>

Note that only version 6.3 and later of signtool.exe (which comes with Windows 8.1 SDK and is also available here) supports the /as flag.

I always sign the program, as well as the installer.

Can I double sign .msi files?

I have seen reports that .msi installers don’t support double signing. But I don’t use .msi installers, so I haven’t investigated further.

What happens to software I signed with my SHA1 certificate after the certificate is revoked?

Software you signed previously will not be affected, e.g. it will be treated as signed by Windows 7/8/10 until 01-Jan-2017

How do I sign Windows XP SP1/XP SP2 software?

Windows XP SP1 doesn’t warn you if there is no signature, so you can ignore XP SP1. SHA2 signatures are not supported in Windows XP SP2. So you will need to have both valid SHA1 and SHA2 certificates to support XP SP2 and all the later versions of Windows. Its not clear that certificate vendors will allow this. Also, how many people with Windows XP SP2 (an unsupported OS) are out there buying software? I won’t be bothering to support signing for XP SP2.

Does this affect SSL certificates as well as code signing (Authenticode) certificates?

I believe so. But I don’t have any SSL certificates, so I haven’t investigated further.

How does this affect signing of device drivers?

I understand there are some differences for device drivers. But I don’t create device drivers, so I haven’t investigated further.

What is the difference between SHA2 and SHA256?

SHA2 is a family of two similar hash functions known as SHA256 and SHA512. SHA256 uses 32-bit words where SHA512 uses 64-bit words.

How secure is SHA2?

Er, it was designed by the NSA. Supply your own joke.

I don’t have a digital certificate, where can I get one?

I got my Comodo code signing certificate from reseller codesigning.ksoftware.net. They have a good reputation, and are significantly cheaper than Comodo. I don’t have any business relationship with them beyond being a happy customer.

Anything else I should know?

Microsoft has reserved the right to move the SHA1 deprecation date forward from 01-Jan-2017.

Acknowledgements

Thanks to Nikos Bozinis for first alerting me to this issue and to Mitchell Vincent of ksoftware.net for fact checking this article.

Further reading

http://zabkat.com/blog/code-signing-sha1-armageddon.htm

http://support.ksoftware.net/support/solutions/articles/215805-the-truth-about-sha1-sha256-and-code-signing-certificates-

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Updates

02-Mar-2016: Added missing link and minor update.

03-Mar-2016: Minor update.

App stores set to dominate future software sales?

Following the success of the iPhone app store (over 6 billion downloads to date), app stores are becoming more and more of a feature of the software landscape. In case you missed it, Apple announced yesterday that there will be an App Store for Macs  ‘within 90 days’. In summary:

  • The Mac app store will be tightly integrated with Mac OS X, including automatic install and update.
  • There will be restrictions on technology, for example Java apps will not be allowed.
  • Apple will keep 30% of any revenue from sales.
  • $99/year subscription for developers.
  • Developers will still be able to sell their software outside the App store.

It is easy to see why Apple would want to do this:

  • A potentially huge new revenue stream from third party Mac software sales.
  • They get even more control over the customer experience.

And this could have advantages for Mac users:

  • Simpler payment and installation.
  • Screening out of low quality apps and malware.

And potential advantages for Mac developers:

  • Mac users might buy more software if it is easier to do so.
  • One main channel to concentrate your marketing efforts on.
  • Some of the boring infrastructure of selling software (licensing, shopping cart etc) can be taken care of by Apple.

But the disadvantages are all too obvious:

  • Your app could be rejected outright. And you won’t know until you submit it for approval. Apple are judge, jury and executioner. The iPhone app store has been infamous its capricious and opaque approval process.
  • 30% is a huge chunk of revenue. Typical payment processors take 5-10% of revenue. Where the new app store cannibalises existing sales (and it is hard to see that it won’t) vendors will lose 20-25% of existing sales revenues.
  • New apps and updates will be delayed by days or weeks as they go through the app store approval process.
  • A single centralised app store is likely to make it harder for niche/long-tail apps to make any sort of living. Certainly this is what seems to be happening in the iPhone App store.
  • Apple are control freaks and have traditionally taken a rather heavy handed approach with developers, including the liberal use of NDAs. The app store will give them even more control.

And worse might follow:

  • Apple makes a lot of their money from selling over-priced hardware. It may be in their interest to drive software prices down so they can sell more hardware. $5 is considered expensive in the iPhone App Store.
  • This could be the first step to making Mac OS X a closed system, like iPhone, where only Apple approved apps can be installed.

I guess they can’t piss off developers too much – a computer without third party applications isn’t going to be very attractive to customers. But I am finding it hard to work up any enthusiasm for a Mac app store. If it is successful I can either be in the store and give up a lot of freedom and cannibalize exisiting sales at a much lower margin, or stay out and be shut out of a large chunk of the market. It isn’t an attractive choice. As my app is written in C++/Qt, rather than Objective-C/Cocoa, I am not even sure that it will be eligible for inclusion in the store. I could just abandon Mac OS X, but Microsoft is also rumoured to be working on their own app store (despite the failure of DigitalLocker). That is a truly terrifying prospect given the awfulness of their ‘Works with Vista’ approval process (I speak from personal experience).

Suddenly web apps are looking more interesting.

Why I won’t be bothering with the Windows 7 logo program

not compatible with Windows 7Am I the only one being totally bombarded with ‘Give your application the green light’ and related emails from Microsoft and its minions? I must have had at least 30 so far. I took a few minutes to list my product in the Windows 7 compatibility guide (beware, cheesy audio). But that is all I intend to do.

I went to the trouble of getting the ‘works with Vista’ logo in 2007. The process was very broken:

  • The winqual and Partner websites give me “certified by unknown authority” warnings.
  • The Winqual website didn’t work at all in FireFox.
  • There was a complete lack of clear guidance about what you needed to do next at each stage.
  • The documentation was very poor, with broken links and much of it completely out of date (i.e. “more information will be available in 2006”, this was 2007).
  • It took me about an hour of rummaging around on the winqual site and an email to tech support to work out that you can ‘sign’ the legal documents online (you have to tick a permissions checkbox on a separate page and do a few refreshes).
  • You had to download a signing tool. It was in a zip file with a password. They didn’t tell you what the password was! Luckily I already had signcode.exe installed.

It was easily the most frustrating thing I have done in my career as a microISV. For that I ended up with an ugly ‘works with Vista’ logo (that probably just made customers think my software didn’t work on Windows XP), an entry in Windows marketplace (I already had one) and a Verisign authenticode certificate that I wasn’t allowed to use to sign my software.

Hopefully Microsoft have cleaned up their broken logo process since the Vista launch. But the benefits of the Windows 7 logo program seem slim:

  • a “Compatible with Windows 7” logo (prettier than the ghastly “works with Vista” logo admittedly)
  • 30 Partner Points for use in the Microsoft Partner Program (I have no idea what I would want those for)
  • some PR templates (when did having a near identical press release to thousands of other companies become a benefit?)
  • priority Listing in the “Windows 7 Compatibility Center” (I doubt any of my customers know or care about this)
  • Windows built-in error reporting (I rolled my own, thanks)

Worst of all I would have to buy another overpriced Verisign certificate to authenticate myself to Microsoft winqual, even though I already have a perfectly valid authenticode certificate from Comodo.

I think I’ll pass.

What are they smoking in Redmond?

I scanned the Microsoft ad below from a recent QBS catalogue.

microsoft_ad

click for larger image

I am still struggling to understand the underlying message. Use Team System and Microsoft will get its tentacles around you? I don’t know which is more unlikely, the basketball playing Cthonians or the athletic and good looking development team.

Getting ready for Windows 7

windows-7I am currently downloading the new Windows 7 release candiate. It is 2.36 GB and the ActiveX download control predicts it will take around 10 hours in total (NB I am also doing a large FTP upload, which is probably slowing it down considerably). Once the download is complete I intend to install it in a VM to test my table planning software.

You can download the latest Windows 7 release candidate here. It is free to download and use, but  it expires on 01-June-2010 and will shutdown every 2 hours starting on 01-March-2010 (insert your own joke here). A couple of points to note from the Windows 7 FAQ:

While the RC is stable and has been thoroughly tested, it’s not the finished product. Your computer could crash and you could lose important files. So please back up your data and please don’t test the RC on your primary home or business PC.

When you use the RC, your PC sends information to our engineers to help them check the fixes and changes they made based on Beta tests.

Microsoft hasn’t officially announced when Windows 7 will be for sale. But there are rumours that it is planned for October 2009. Will you be ready?

Mac OS X market share accelerates in 2008

2008 was a good year for Apple and Mac OS X. According to netapplications.com data (via sharewarepromotions blog) Mac OS X’s share of the OS market increased from 7.31% in Dec 2007 to 9.63% in Dec 2008. That is a 32% increase in market share during 2008, compared to a 22% increase during 2007.

macosx_market_share_2007_2008

Windows market share fell from 91.79% to 88.68% in the same time. While Mac OS X’s annual gains are impressive, it has a long way to go to catch Windows. 15 years if you project the 2008 gains forward.

macosx_vs_windows_market_share_2007_2008Of course, it is highly questionable to project 15 years from a single year of data, but it gives an idea how much work Apple still has to do.

I sell table planning software for Windows and Mac OS X. Mac visitors to my website have followed the general trend, up from 7.41% in 2007 to 8.5% in 2008 and accounting for around of 10% of visitors at the end of 2008.

macosx_visitor_percentage% Mac visitors to http://www.perfecttableplan.com

My data also shows that Mac users are twice as likely to purchase my software as Windows users (I have heard similar figures have reported by others). So Mac users currently account for 20% of my sales. I wouldn’t want to live off my Mac sales, but it is very useful additional income. Given the disparity in cost between Windows and Mac hardware it is hardly surprising that Mac users are more ready to reach for their credit card.

My software is built on top of the Qt cross-platform toolkit. The recent porting of Qt 4.5 to Cocoa gives me the opportunity to further improve PerfectTablePlan’s Mac look and feel and to release a 64 bit version. Hopefully this, coupled with increasing Mac market share, will further improve my Mac sales.

A beta of Windows 7 has just been released.  It will be interesting to see if it can repair some of the damage caused by Vista and slow the growth of Mac OS X. Personally, I doubt it – the Windows 7 feature list certainly doesn’t set my pulse racing.

Unlock new customers?

Microsoft Adcenter helpfully sent me a link to lists of low cost keywords I could advertise on, categorised by sector, to “unlock new customers”. I had a quick look through the ‘sport and rec’ list. Here is a small sample (click to enlarge):

There are lots more where they came from. Microsoft say:

These keywords are actual terms recently used by your customers on Live and MSN Search Engines and are available at a low cost while very few other advertisers are bidding on them.

No kidding.

Did they do any QA on this list[1]? Exactly how many people are searching on “vn b m gn mbnmncbm xbc bcv 0 vfkmjirhtfnkj nb b x bmnx bv”? What has dogging (not work safe) or Hare Krishna got to do with rugby? Is it any wonder nobody is bidding on “duck porn”? Are there really that many people interested in pictures of nude female bodybuilders (apparently)?

Thanks Microsoft, but I’m really not sure they are the sort of new customers I want to unlock.

[1]There are some pretty unpleasant ones I didn’t include.

Microsoft adCenter over reporting conversions

I have long suspected that Microsoft adCenter is over reporting conversions. Here is the confirmation from my adCenter reporting:

I am guessing that the purchaser visited the ‘thank you for your purchase’ page (which contains the conversion tracking script) 5 times, for whatever reason. I can’t think of any other way this situation could occur – the conversion tracking isn’t set up to take account of multiple purchases in one transaction. How difficult would it be to only count the first visit? Google can do it.

Being cynical, perhaps the over reporting suits Microsoft? But it makes it much more difficult for me to assess the real effectiveness of keywords and ads. Another good reason to concentrate my efforts on Google Adwords instead.

Choosing a development ‘stack’ for Windows desktop applications

beauty_parade.jpgI have have heard plenty of people saying that desktop software is dead and that all future development will be done for the web. From my perspective, as both a buyer and seller of software, I think they are wrong. In fact, of the thousands of pounds I have spent on software in the last three years, I would guess that well over 90% of it was spent on software that runs outside the browser. The capabilities of web based applications have improved a lot in recent years, but they still have a long way to go to match a custom built native application once you move beyond CRUD applications. I don’t expect to be running Visual Studio, PhotoShop or VMWare (amongst others) inside the browser any time soon. The only way I see web apps approaching the flexibility and performance of desktop apps is for the browser to become as complicated as an OS, negating the key reason for having a browser in the first place. To me it seems more likely that desktop apps will embed a browser and use more and more web protocols, resulting in hybrid native+web apps that offer the best of both worlds.

So, if Windows desktop apps aren’t going away any time soon, what language/libraries/tools should we use to develop them? It is clear that Microsoft would like us to use a .Net development environment, such as C#. But I question the wisdom of anyone selling downloadable off-the-shelf software based on .Net [1]. The penetration of .Net is less than impressive, especially for the more recent versions. From stats published by SteG on a recent BOS post (only IE users counted):

No .Net: 28.12%
>= .Net 1.0: 71.88%
>= .Net 1.1: 69.29%
>= .Net 2.0: 46.07%
>= .Net 3.0: 18.66%
>= .Net 3.5: 0.99%

Consequently deploying your app may require a framework update. The new .Net 3.5 framework comes with a 2.7 MB installer, but this is only a stub that downloads the frameworks required. The full set of frameworks weighs in at eye watering 197 MB. To find out how much the stub really downloads Giorgio installed .Net 3.5 onto a Windows 2003 VM with only .Net 1.0 & 1.1. The result: 67 MB. That is still a large download for most people, especially if your .Net 3.5 software is only a small utility. It is out of the question if you don’t have broadband. Microsoft no doubt justify this by saying that the majority of PCs will have .Net 3.5 pre-installed by the year X. Unfortunately by the year X Microsoft will probably be pushing .Net 5.5 and I dread to think how big that will be.

I have heard a lot of people touting the productivity benefits of C# and .Net, but the huge framework downloads can only be a major hurdle for customers, especially for B2C apps. You also have issues protecting your byte code from prying eyes, and you can pretty much forget cross-platform development. So I think I will stick to writing native apps in C++ for Windows for the foreseeable future.

There is no clear leader amongst the development ‘stacks’ (languages+libraries+tools) for native Win32 development at present. Those that spring to mind include:

  • Delphi – Lots of devoted fans, but will CodeGear even be here tomorrow?
  • VB6 – Abandoned and unloved by Microsoft.
  • Java – You have to have a Java Run Time installed, and questions still remain about the native look and feel of Java GUIs.
  • C++/MFC – Ugly ugly ugly. There is also the worry that it will be ‘deprecated’ by Microsoft.
  • C++/Qt – My personal favourite, but expensive and C++ is hardly an easy-to-use language. The future of Qt is also less certain after the Nokia acquisition.

Plus some others I know even less about, including: RealBasic and C++/WxWidgets. They all have their down sides. It is a tough choice. Perhaps that is why some Windows developers are defecting to Mac, where there is really only one game in town (Objective-C/Cocoa).

I don’t even claim that the opinions I express here are accurate or up-to-date. How could they be? If I kept up-to-date on all the leading Win32 development stacks I wouldn’t have any time left to write software. Of the stacks listed I have only used C++/MFC and C++/Qt in anger and my MFC experience (shudder) was quite a few years ago.

Given that one person can’t realistically hope to evaluate all the alternatives in any depth, we have to rely on our particular requirements (do we need to support cross platform?), hearsay, prejudice and which language we are most familiar with to narrow it down to a realistic number to evaluate. Two perhaps. And once we have chosen a stack and become familiar with it we are going to be loathe to start anew with another stack. Certainly it would take a lot for me to move away from C++/Qt, in which I have a huge amount of time invested, to a completely new stack.

Which Windows development stack are you using? Why? Have I maligned it unfairly above?

[1] Bespoke software is a different story. If you have limited deployment of the software and can dictate the end-user environment then the big download is much less of an issue.