Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

News Update: Code Signing Certificate Status

rconn

rconn

Administrator
May
13,683
257
Staff member
I got a response from Comodo (who issued the code signing certificate). But it wasn't particularly helpful - they said the problem is most likely due to a bad internet connection, and the WinVerifyTrust API (the Windows API that's returning the CERT_E_EXPIRED error) couldn't be returning CERT_E_EXPIRED, but actually is returning CERT_E_REVOCATION_FAILURE (unable to verify the signature) error. I responded that it was unlikely given that (1) several thousand users suddenly had a bad internet connection, and it would work if they set their system clock back, and (2) the error returned by WinVerifyTrust was absolutely, positively CERT_E_EXPIRED. No further response, but they did obliquely hint that Microsoft might have added the certificate to the CRL (certificate revocation list).
 
I doubt that it is due to a bad internet connection as in our case the error occured also on all systems we registered with manual/offliine keys because the do not have and never had a internet connection.
 
Hmm, isn't the problem that the IsLicense50.dll file (which I'm assuming is used for the licensing functionality) has an expired certificate, and no signed timestamp? The certificate expired on ‎Tuesday, ‎March ‎13, ‎2018 19:33:39, so that seems pretty likely. Note that this could be the same type of issue that hit Oculus, where they didn't add a signed timestamp to one of their files:
https://www.reddit.com/r/oculus/comments/82nuzi
 
Agreed, as soon as I saw the email this morning I thought, "must be the same problem as Oculus." You beat me to it by a few minutes. :-)

When you sign your code, you have to get it co-signed by a timestamp server. This prevents the signature from expiring when the certificate does, because it validates that the certificate was valid at the time of signing. Once you do that, your signed code remains valid even after the certificate expires.

Here is some information on Comodo's timestamp server.
 
Last edited:
dim said:
Hmm, isn't the problem that the IsLicense50.dll file (which I'm assuming is used for the licensing functionality) has an expired certificate, and no signed timestamp? The certificate expired on ‎Tuesday, ‎March ‎13, ‎2018 19:33:39, so that seems pretty likely. Note that this could be the same type of issue that hit Oculus, where they didn't add a signed timestamp to one of their files:
https://www.reddit.com/r/oculus/comments/82nuzi
Click to expand...
I was about to report the exact same thing. A signed peace of code needs to be timestamped, otherwise Windows refuses to load it (if the certificate is expired, that is).
 
Last edited:
Michael Geary said:
Agreed, as soon as I saw the email this morning I thought, "must be the same problem as Oculus." You beat me to it by a few minutes. :-)

When you sign your code, you have to get it co-signed by a timestamp server. This prevents the signature from expiring when the certificate does, because it validates that the certificate was valid at the time of signing. Once you do that, your signed code remains valid even after the certificate expires.

Here is some information on Comodo's timestamp server.
Click to expand...
The TCMD / TCC code signing uses the Verisign timestamp server.
 
rconn said:
The TCMD / TCC code signing uses the Verisign timestamp server.
Click to expand...
However, IsLicense50.dll is not and I have no doubt, that that is what is causing the problem.

2018-03-15_10-20-21.png
 
erpomik said:
However, IsLicense50.dll is not and I have no doubt, that that is what is causing the problem.
Click to expand...
Good catch! Looks like when there is no timestamp, Windows considers it valid until the signing cert expires, which happened on 3/13/2018.
 
It sounds like a lack of decent support by Comodo. Under those circumstances, I suggest a new vendor is called for. The reliability of any product depends on the reliability of the suppliers.
 
Since Rex is using Verisign stamping servers, it may be their fault, and signing program did not fail when stamping failed.
 
I faintly recall that one of the stamping utilities I tried has special switch to consider timestamping failure to be a (non?)fatal error. I don't recall details, sorry. I'd need to dig through my VM's and find my old buildbot config for more information. Been several hard hears since I've used it, sorry.
 
You must log in or register to reply here.
Back
Top