PaulStoffregen
Well-known member
Also, the Microsoft article suggests a work-around you can keep using for years to come
"Files timestamped before January 1, 2016, will continue to be trusted."
If anyone's curious about these details, they've anticipated you could simply set your PC's clock backwards.
The signature "timestamp" actually comes from a server operated by one of the dozen certificate authorities. When you sign the file, you give it the URL of one of those timestamp servers. The clock setting on that server is what matters. The server gives you back a signed digest which proves you generated the signature at a particular time. Windows trusts timestamps only if they're signed by those servers, so you can't forge a different time unless you control that server, or have the private keys that server uses, or you can break the SHA2 algorithm. Apparently SHA1 currently costs about $2 in Amazon EC2 compute time (or your own huge many-GPU computer) to break, which is why we're all being forced to use SHA2.
Turns out, some of those timestamp servers still use SHA1, unless you give the signing tool a different command line switch to speak a different protocol when contacting the server. I didn't dive into the details, but this was one of the many small issues to resolve.
Apparently more restrictions on signatures go into effect on Jan 1, 2017. The certificate "thumbprint" on the cert we just paid $265 to get *still* uses SHA1 on that part. I don't know if that's going to be a problem in 11 months, but I wasn't happy to discover that small detail yesterday, which is completely outside of my control. Well, other than switching away from Comodo, but I found a Globalsign cert on another program which also still has a SHA2 signature with SHA1 thumbprint... so it looks like the whole industry pretty much runs in reactionary mode and things will probably break again around this time next year.
Last edited: