Unable to download Teensyduino.exe

Status
Not open for further replies.
Also, the Microsoft article suggests a work-around you can keep using for years to come :)

"Files timestamped before January 1, 2016, will continue to be trusted."

If anyone's curious about these details, they've anticipated you could simply set your PC's clock backwards.

The signature "timestamp" actually comes from a server operated by one of the dozen certificate authorities. When you sign the file, you give it the URL of one of those timestamp servers. The clock setting on that server is what matters. The server gives you back a signed digest which proves you generated the signature at a particular time. Windows trusts timestamps only if they're signed by those servers, so you can't forge a different time unless you control that server, or have the private keys that server uses, or you can break the SHA2 algorithm. Apparently SHA1 currently costs about $2 in Amazon EC2 compute time (or your own huge many-GPU computer) to break, which is why we're all being forced to use SHA2.

Turns out, some of those timestamp servers still use SHA1, unless you give the signing tool a different command line switch to speak a different protocol when contacting the server. I didn't dive into the details, but this was one of the many small issues to resolve.

Apparently more restrictions on signatures go into effect on Jan 1, 2017. The certificate "thumbprint" on the cert we just paid $265 to get *still* uses SHA1 on that part. I don't know if that's going to be a problem in 11 months, but I wasn't happy to discover that small detail yesterday, which is completely outside of my control. Well, other than switching away from Comodo, but I found a Globalsign cert on another program which also still has a SHA2 signature with SHA1 thumbprint... so it looks like the whole industry pretty much runs in reactionary mode and things will probably break again around this time next year. :(
 
Last edited:
The signature "timestamp" actually comes from a server operated by one of the dozen certificate authorities.

Oh, that's unfortunate. I mean, fortunate for general security, but unfortunate for you :)

Regarding people issuing trailing-edge certs: Don't you get "revoke and re-issue" support for certs when you pay for them?
If a cert becomes technically unsound, wouldn't going through that path give you a new cert which would presumably be issued with latest-implemented technology at that time?
Might save you some money if that path works.
 
Don't you get "revoke and re-issue" support for certs when you pay for them?

In theory, yes.

In practice, Tucows responded with a copy-and-paste of Comodo's instructions, which didn't work. Even though I provided screenshots showing it not working as described, they closed the support ticket without a second thought. It's pretty clear they no longer resell Comodo certs or other developer products, since they deleted all that stuff from their website probably quite some time ago. They probably don't have anyone there who'd be capable of resolving such a problem.

Rather than try to go through Comodo again (tried that before... they expect their resellers to handle all customer support requests), I just bought a new cert from another company. That's how it actually works in practice.
 
Maybe I'd get better service buying directly from Thawte, Globalsign, or Symantec. But their prices are so high, you could buy cheap Comodo-through-reseller certs even 3 or 4 times and still be money ahead.
 
Rather than try to go through Comodo again (tried that before... they expect their resellers to handle all customer support requests), I just bought a new cert from another company. That's how it actually works in practice.

Hopefully this reseller will stay in the business!
 
We just paid a pretty similar price, $265 for 5 years.

Whether it really keeps working for the full 5 years remains to be seen....
 
My win7 completed as noted above - but had the driver (if that is the INF you wonder about ).

I just re-ran the first part and said Update Driver and it succeeded without issue for '3 devices'.
 
I just retested the Teensyduino installer on a completely fresh but fully updated Window 7 install. I'm happy to say the installer signature and the INF "driver" signature are both fully recognized. :)

Capture.PNG
 
Status
Not open for further replies.
Back
Top