none
Specifying digest hashing algorithm for "Secure Loader" (LVMOD) on Windows Embedded Compact 7 RRS feed

  • Question

  • We are using Secure Loader (LVMOD) to make sure only our own code run on our platform.

    Previously we used SHA1 for code signing digest (and certificate signature algorithm). Now the security requirements have changed and we can no longer use SHA-1, and we have to use SHA256 (SHA-2) instead.

    When testing this we discovered that LVMOD will start executables when they are signed by our new certificate, but with SHA-1 digest.

    Is there a way to instruct LVMOD to only validate binaries signed with a SHA256 digest?

    Friday, August 19, 2016 11:01 AM

All replies

  • Hi Tor-A,

    I am not familiar with LVMOD but it would seem the only way to ensure a file/app is not loaded is to ensure the cert is not in the store.  See https://msdn.microsoft.com/en-us/library/gg156296.aspx

    Sincerely,

    IoTGirl

    Monday, September 5, 2016 6:20 PM
    Moderator
  • Hi IoTGirl,

    The certificate that shall validate a SHA256 digest will also validate a binary signed with a SHA1 digest, so if I remove it our application will not start.

    Is there maybe a way to specify the digest algorithm in the certificate itself?

    Tuesday, September 6, 2016 5:43 AM
  • Hi Tor-A,

    That would be an excellent question for the cert provider as I don't know the answer. :)

    Sincerely,

    IoTGirl

    Tuesday, September 6, 2016 3:32 PM
    Moderator