locked
Is Comodo authenticode certificate trusted by Windows 7? RRS feed

  • Question

  • Has anyone experience of the Comodo authenticode certificate? I created a couple of Window 7 virtual machines, one x86 and one x64. Neither was able to run an app signed with with the comodo cert. Further examination shown that neither the root nor the intermediate certificate the signing cert depends on were present in the VM's. Hence the signing cert could not resolve to a trusted authority.

    Having contacted Comodo, they wanted me to manually install their root and intermediate certs. This is akin to me installing self-signed certificates myself and attaining trust that way. I can't believe I paid for some self-signed certificates when I could have made myself some for free.

    So how deep is the trust in Windows for the comodo certs? I got some vague impressions that their root and intermediate certs would be installed by web browsers if certain websites are visited. Anyone knows how the mechanism behind that works? Thanks.

    Wednesday, September 5, 2018 9:05 PM

Answers

  • Windows 7 installed from older discs will only support SHA1 certificates and treat SHA256 certificates as untrusted. Updated Windows 7 trusts SHA256 certificates but not the SHA1 ones (my guess, with strong possibility of being correct). In order to work with all installations of Windows 7, dual signing with both SHA1 and SHA256 certificates is necessary.

    Comodo support is no use, makes random assertions, and generally no help. Their OV certs are only partially trusted by Windows 7. So there are chances of applications signed with their certs getting scary "Unknown Publisher" messages.



    • Marked as answer by Dev10110110 Monday, September 10, 2018 2:49 PM
    • Edited by Dev10110110 Monday, September 10, 2018 2:53 PM
    Monday, September 10, 2018 2:49 PM

All replies

  • Windows 7 installed from older discs will only support SHA1 certificates and treat SHA256 certificates as untrusted. Updated Windows 7 trusts SHA256 certificates but not the SHA1 ones (my guess, with strong possibility of being correct). In order to work with all installations of Windows 7, dual signing with both SHA1 and SHA256 certificates is necessary.

    Comodo support is no use, makes random assertions, and generally no help. Their OV certs are only partially trusted by Windows 7. So there are chances of applications signed with their certs getting scary "Unknown Publisher" messages.



    • Marked as answer by Dev10110110 Monday, September 10, 2018 2:49 PM
    • Edited by Dev10110110 Monday, September 10, 2018 2:53 PM
    Monday, September 10, 2018 2:49 PM
  • Thanks.

    For application distribution, support for deprecated trust is nevertheless necessary. There is still a size-able user base for Windows 7. It's not ideal for some of them to be misinform with an unknown publisher when it clearly isn't the case. As I do often, people will use a disposable installation to try out software. There's no reason for such installations to be updated. Therefore, such new users are lost from the misinformation.

    Monday, September 10, 2018 3:25 PM