SHA-1 retired

Discussions related to using VirtualBox on Windows hosts.
Locked
sieve
Posts: 4
Joined: 5. Nov 2008, 05:24

SHA-1 retired

Post by sieve »

Microsoft retired apps signed with a SHA-1 cert: https://technet.microsoft.com/library/security/2880823

The latest VirtualBox 5.0.14-105127 install on Windows 10 guest is signed with sha1. Images: https://goo.gl/photos/HSDvtNJuvon8cmBr9

This now triggers Microsoft SmartScreen (the big blue box: "Windows protected your PC" / "Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk").

Please move to a more modern certificate for signing VirtualBox.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: SHA-1 retired

Post by socratis »

  • SHA-1 is going nowhere, it's simply that SmartScreen doesn't like it anymore.
  • It's a warning only.
  • SmartScreen is an InternetExplorer feature. Only. You can always use another browser.
  • You can always disable SmartScreen. From Microsoft themselves and the article you linked:
    This status does not prevent customers from downloading the file or running these browsers on their computers. But customers are warned of the not trusted status of the file.
  • I bet it will be fixed soon, it's simply not neccessary to have 40 users and their mothers complain about it.
P.S. Your link doesn't actually work. Correct link: https://technet.microsoft.com/en-us/lib ... 80823.aspx
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
sieve
Posts: 4
Joined: 5. Nov 2008, 05:24

Re: SHA-1 retired

Post by sieve »

Vendors who write Windows applications sign their application using a code-signing certificate. Microsoft announced in November 2013 that in January 2016 they would no longer recognize vendors who continue to use the SHA-1 retired algorithm to announce to users who the vendor is.

Oracle, along with every other Windows application vendor, must stop using a retired code-signing certificate and upgrade. At that point, Microsoft will verify the identity of the vendor. Users who run the VMware install program in Windows will then be able to recognize the name "Oracle" and comprehend what software is being installed.

This is not about antivirus, and this is not about browsers. This is about vendors code-signing applications they deploy. The Windows OS no longer recognizes vendors who haven't upgraded their code-signing certificate. Those that build the VMware installer at Oracle for Windows OS host need to upgrade their toolchain and code-signing certificate to cooperate with the standards for the Windows OS.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: SHA-1 retired

Post by socratis »

sieve wrote:Those that build the VMware installer at Oracle
Well, I'm willing to bet that no one is. You see, Oracle does not build VMWare, they build VirtualBox. Just to keep it clear.
sieve wrote:with every other Windows application vendor, must stop using a retired code-signing certificate and upgrade
No more open source projects for you then. Because only those with big pockets or big support (that has big pockets) can deal with it. Fine. If you can live with MS's restrictions. I simply will kill SmartScreen. It's not like it's mandatory, you know...

Oh, you may have missed mpack's answer to the other thread you replied...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Locked