virtualbox.org

End user forums for VirtualBox
https://forums.virtualbox.org/

SHA-1 retired

https://forums.virtualbox.org/viewtopic.php?t=75929

Page 1 of 1

SHA-1 retired

Posted: 26. Jan 2016, 03:07
by sieve
Microsoft retired apps signed with a SHA-1 cert: https://technet.microsoft.com/library/security/2880823

The latest VirtualBox 5.0.14-105127 install on Windows 10 guest is signed with sha1. Images: https://goo.gl/photos/HSDvtNJuvon8cmBr9

This now triggers Microsoft SmartScreen (the big blue box: "Windows protected your PC" / "Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk").

Please move to a more modern certificate for signing VirtualBox.

Re: SHA-1 retired

Posted: 26. Jan 2016, 10:12
by socratis
  • SHA-1 is going nowhere, it's simply that SmartScreen doesn't like it anymore.
  • It's a warning only.
  • SmartScreen is an InternetExplorer feature. Only. You can always use another browser.
  • You can always disable SmartScreen. From Microsoft themselves and the article you linked:
    This status does not prevent customers from downloading the file or running these browsers on their computers. But customers are warned of the not trusted status of the file.
  • I bet it will be fixed soon, it's simply not neccessary to have 40 users and their mothers complain about it.
P.S. Your link doesn't actually work. Correct link: https://technet.microsoft.com/en-us/lib ... 80823.aspx

Re: SHA-1 retired

Posted: 27. Jan 2016, 19:44
by sieve
Vendors who write Windows applications sign their application using a code-signing certificate. Microsoft announced in November 2013 that in January 2016 they would no longer recognize vendors who continue to use the SHA-1 retired algorithm to announce to users who the vendor is.

Oracle, along with every other Windows application vendor, must stop using a retired code-signing certificate and upgrade. At that point, Microsoft will verify the identity of the vendor. Users who run the VMware install program in Windows will then be able to recognize the name "Oracle" and comprehend what software is being installed.

This is not about antivirus, and this is not about browsers. This is about vendors code-signing applications they deploy. The Windows OS no longer recognizes vendors who haven't upgraded their code-signing certificate. Those that build the VMware installer at Oracle for Windows OS host need to upgrade their toolchain and code-signing certificate to cooperate with the standards for the Windows OS.

Re: SHA-1 retired

Posted: 27. Jan 2016, 19:52
by socratis
sieve wrote:Those that build the VMware installer at Oracle
Well, I'm willing to bet that no one is. You see, Oracle does not build VMWare, they build VirtualBox. Just to keep it clear.
sieve wrote:with every other Windows application vendor, must stop using a retired code-signing certificate and upgrade
No more open source projects for you then. Because only those with big pockets or big support (that has big pockets) can deal with it. Fine. If you can live with MS's restrictions. I simply will kill SmartScreen. It's not like it's mandatory, you know...

Oh, you may have missed mpack's answer to the other thread you replied...
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited