Forum Rule: Always post complete source code & details to reproduce any issue!
Page 2 of 2 FirstFirst 1 2
Results 26 to 36 of 36

Thread: Unable to download Teensyduino.exe

  1. #26
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    22,294
    Quote Originally Posted by jwatte View Post
    Also, the Microsoft article suggests a work-around you can keep using for years to come :-)

    "Files timestamped before January 1, 2016, will continue to be trusted."
    If anyone's curious about these details, they've anticipated you could simply set your PC's clock backwards.

    The signature "timestamp" actually comes from a server operated by one of the dozen certificate authorities. When you sign the file, you give it the URL of one of those timestamp servers. The clock setting on that server is what matters. The server gives you back a signed digest which proves you generated the signature at a particular time. Windows trusts timestamps only if they're signed by those servers, so you can't forge a different time unless you control that server, or have the private keys that server uses, or you can break the SHA2 algorithm. Apparently SHA1 currently costs about $2 in Amazon EC2 compute time (or your own huge many-GPU computer) to break, which is why we're all being forced to use SHA2.

    Turns out, some of those timestamp servers still use SHA1, unless you give the signing tool a different command line switch to speak a different protocol when contacting the server. I didn't dive into the details, but this was one of the many small issues to resolve.

    Apparently more restrictions on signatures go into effect on Jan 1, 2017. The certificate "thumbprint" on the cert we just paid $265 to get *still* uses SHA1 on that part. I don't know if that's going to be a problem in 11 months, but I wasn't happy to discover that small detail yesterday, which is completely outside of my control. Well, other than switching away from Comodo, but I found a Globalsign cert on another program which also still has a SHA2 signature with SHA1 thumbprint... so it looks like the whole industry pretty much runs in reactionary mode and things will probably break again around this time next year.
    Last edited by PaulStoffregen; 02-10-2016 at 03:44 PM.

  2. #27
    Senior Member
    Join Date
    Dec 2014
    Posts
    304
    The signature "timestamp" actually comes from a server operated by one of the dozen certificate authorities.
    Oh, that's unfortunate. I mean, fortunate for general security, but unfortunate for you :-)

    Regarding people issuing trailing-edge certs: Don't you get "revoke and re-issue" support for certs when you pay for them?
    If a cert becomes technically unsound, wouldn't going through that path give you a new cert which would presumably be issued with latest-implemented technology at that time?
    Might save you some money if that path works.

  3. #28
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    22,294
    Quote Originally Posted by jwatte View Post
    Don't you get "revoke and re-issue" support for certs when you pay for them?
    In theory, yes.

    In practice, Tucows responded with a copy-and-paste of Comodo's instructions, which didn't work. Even though I provided screenshots showing it not working as described, they closed the support ticket without a second thought. It's pretty clear they no longer resell Comodo certs or other developer products, since they deleted all that stuff from their website probably quite some time ago. They probably don't have anyone there who'd be capable of resolving such a problem.

    Rather than try to go through Comodo again (tried that before... they expect their resellers to handle all customer support requests), I just bought a new cert from another company. That's how it actually works in practice.

  4. #29
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    22,294
    Maybe I'd get better service buying directly from Thawte, Globalsign, or Symantec. But their prices are so high, you could buy cheap Comodo-through-reseller certs even 3 or 4 times and still be money ahead.

  5. #30
    Senior Member
    Join Date
    Dec 2014
    Posts
    304
    Rather than try to go through Comodo again (tried that before... they expect their resellers to handle all customer support requests), I just bought a new cert from another company. That's how it actually works in practice.
    Hopefully this reseller will stay in the business!

  6. #31
    Senior Member
    Join Date
    Dec 2014
    Posts
    304
    FWIW: Seems like you can get away with $60/year for code signing certificates and web SSL certificates, as long as you don't need to sign drivers:

    https://www.startssl.com/

    ($120/year if you also need to sign drivers)

  7. #32
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    22,294
    We just paid a pretty similar price, $265 for 5 years.

    Whether it really keeps working for the full 5 years remains to be seen....

  8. #33
    Senior Member
    Join Date
    Dec 2014
    Posts
    304
    Sounds like the voice of experience!

  9. #34
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    22,294
    Hmmm... I wonder if the INF file (for Win 7 & 8) needs to be resigned??

  10. #35
    Senior Member+ defragster's Avatar
    Join Date
    Feb 2015
    Posts
    11,981
    My win7 completed as noted above - but had the driver (if that is the INF you wonder about ).

    I just re-ran the first part and said Update Driver and it succeeded without issue for '3 devices'.

  11. #36
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    22,294
    I just retested the Teensyduino installer on a completely fresh but fully updated Window 7 install. I'm happy to say the installer signature and the INF "driver" signature are both fully recognized.

    Click image for larger version. 

Name:	Capture.PNG 
Views:	58 
Size:	386.1 KB 
ID:	6487

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •