Re-releasing Some Apps, SHA-2/SHA256 Digital Signature Bugs On Windows XP and Vista

John T. Haller's picture
Submitted by John T. Haller on March 24, 2015 - 4:41pm will be re-releasing a handful of apps released within the past few weeks due to bugs within Windows XP and Windows Vista's code signing certificate handling. These apps will be posted over the next few days with the standard announcements and automatic updating via the Platform. They'll happen with either new releases of apps that have new versions available or revisions (example: Rev 2) of existing releases. We're including a technical explanation of the issues below to help others that may come across this issue.

Digital Certificates and the Switch to SHA-2 / SHA-256 signs the launchers and installers for our open source releases as well as many freeware releases so that end users are assured that they get a legitimate release that hasn't been tampered with. We've done this for years. With our last code-signing certificate renewal, we opted to obtain an SHA-2 certificate for better security. As with browsers, code signing certificates are switching from SHA1 to SHA2 this year, due to the likelihood of the SHA-1 algorithm being brute forced by more powerful computers and techniques. Microsoft won't even honor EXEs signed with an SHA1 certificate signed after 12/31/2015 as per their SHA1 deprecation policy, so making the switch sooner rather than later is a good idea.

When utilizing the new certificate, we set our signer to produce SHA-2/SHA256 digests to match the certificate. Microsoft doesn't really give any guidance on whether to do this and whether or not SHA1 digests are also being retired on 1/1/2016. It turns our that this was unnecessary and that SHA1 can continue to be used. We later found out that SHA2 can cause issues for some older Windows installs.

Broken Windows XP and Vista Code Signature Components

Windows XP SP3 users that download an EXE signed with an SHA-2/SHA256 digest will see the EXE as unsigned. They will, however, be able to run it just as if it were an unsigned EXE.

Windows Vista SP2 users that download an EXE signed with an SHA-2SHA256 digest will see the EXE as unsigned but be able to run it as if it were unsigned, just like on Windows XP.

In later testing, we found a larger bug that Microsoft seems unaware of. If you download in IE9 on Windows Vista, IE will show the download as "This program was reported as unsafe" in red letters and not give the option to run it directly. You can, however, right-click the file and run it anyway or browse to its folder. This particular behavior would occur for the ~0.36% of users that download via IE on Vista.

Windows Vista users still running the insecure and unsupported SP1 build of Vista or who have not yet applied KB2763674 will have the file silently fail when running it. Vista SP1 was retired in 2011. The patch was released over 2 years ago and was automatically pushed out over Windows Update. The vast majority of Vista users should have no issues, but there may be some holdouts. All Vista users are urged to immediately install SP2 as well as all later patches via Windows Update to ensure their machine is not vulnerable to compromise as well as to ensure they will be able to run software using all signing methods from all publishers.

Re-Releases And App Updates

We switched our build process back to using SHA-1 digests the end of last week when we realized that some Vista and XP users may see invalid certificates. To avoid any issues with users thinking some apps have been compromised or affected due to missing/invalid signatures, we'll be re-releasing any apps affected over the 4 week period prior to that. For all affected apps that have not yet had a new release with an SHA-1 digest, we'll be posting a Revision 2 update of them over the next few days. For open source apps that have already had an update, we'll be pusing new builds for the older versions so that users who need access later can do so (example: Firefox Portable 36.0.1 for testers). For freeware apps that have already had an update, no action needs to be taken as we don't maintain old versions of freeware apps.

Our apologies for any inconvenience this may have caused. Thanks for your patience as we take the time to push the releases out.

- The Team

Story Topic:


John T. Haller's picture

With today's revisions of FotoSketcher, Photofiltre, PicPick and GPU-Z, all apps have now been updated to use SHA1 digests and re-released except for LibreOffice Portable Still 4.3.6. Vista SP1 users can use LibreOffice Portable Fresh 4.4.2 (recommended) or/and upgrade to SP2 (highly recommended). LibreOffice Portable Still's next release will be SHA1 signed for maximum compatibility.

Thanks for your patience during this process.

Sometimes, the impossible can become possible, if you're awesome!

For your hard work and Dedication on this and all of the
PortableApps platform

“Be who you are and say what you feel because those who mind don't matter and those who matter don't mind.” Dr. Seuss

John T. Haller's picture

Windows XP will not have support for SHA256-signed EXEs, so you won't see signatures properly. You can still use all our apps as mentioned above as we added a workaround for XP and Vista 2 years ago when this was posted.

Sometimes, the impossible can become possible, if you're awesome!