Binaries with outdated digital certificates or unsigned

The behaviour described in the bug report is either by design, or would be far too complex/time-consuming to be changed

Moderators: white, Hacker, petermad, Stefan2

Post Reply
Slavic
Senior Member
Senior Member
Posts: 290
Joined: 2006-02-26, 15:41 UTC
Location: Montenegro

Binaries with outdated digital certificates or unsigned

Post by *Slavic »

Most of binaries in TC distribution have the digital certificate (Digital Signature) from Ghisler Software GmbH, which is up-to-date. In particular, in current 10.00b3 the expiration time is 28 October 2022. However, some binaries have not been updated too long and have the expired certificates; some others don't have a certificate at all. While this do not prevent TC and its components from working properly, the requirements may become more strong in forthcoming Windows versions, so it would be better to update the certificates of all binaries, which possible, in the final TC 10 release.

List of outdated and unsigned binaries in TC 10.00b3 distribution:

Outdated binaries (valid to: dd/mm/yyyy)
x64
CGLPT64.SYS - 12/05/2011
NOCLOSE64.EXE - 26/05/2017
TCMDX32.EXE - 26/05/2017
TCUNZL64.DLL - 26/05/2017
TcUsbRun.exe - 26/05/2017
WCMZIP64.DLL - 22/08/2018

x32
CGLPT64.SYS - 12/05/2011 (same as in x64)
CGLPTNT.SYS - 12/05/2011
TCMDX64.EXE - 26/05/2017
TCUNZLIB.DLL - 26/05/2017
TcUsbRun.exe - 26/05/2017 (same as in x64)
WCMZIP32.DLL - 22/08/2018

Unsigned binaries (some licensed 3-rd party libraries were not signed by their creators)
x64
SFXHEAD.SFX
TC7Z64.DLL
TCLZMA64.DLL
TCshareWin10x64.dll
WCMICON2.DLL
WCMICONS.DLL
FILTER64\AutoPitch.dll
FILTER64\SoundTouchDLL_x64.dll

x32
CABRK.DLL
CGLPT9X.VXD
FRERES32.DLL
SFXHEAD.SFX (same as in x64)
SHARE_NT.EXE
TC7Z.DLL
TCMDLZMA.DLL
TCshareWin10.dll
UNACEV2.DLL
UNRAR9X.DLL
WC32TO16.EXE
WCMICON2.DLL (same as in x64)
WCMICONS.DLL (same as in x64)
FILTER32\AutoPitch.dll
FILTER32\SoundTouchDLL.dll
Desktop: Windows 11 Pro 23H2, TC 11.03(RC). Mobile: Pixel 5a, Android 14, TC 3.42b5
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Re: Binaries with outdated digital certificates or unsigned

Post by *Dalai »

As long as the CA signing certificate in the certificate chain is valid, even expired client certificates are considered valid. If that behavior would change, a good portion of every available software out there would be considered unsigned or invalidly signed, so I think it's highly unlikely that it's going to change. And that's the reason certificate chains exist.

Furthermore, it's been a requirement to use SHA256 based certificates to sign files for many years now, but such certs are only recognized by Win7 and higher, which means that files would appear unsigned on older operating systems (although the files are signed).

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
User avatar
Usher
Power Member
Power Member
Posts: 1675
Joined: 2011-03-11, 10:11 UTC

Re: Binaries with outdated digital certificates or unsigned

Post by *Usher »

Dalai wrote: 2021-03-27, 10:34 UTC Furthermore, it's been a requirement to use SHA256 based certificates to sign files for many years now, but such certs are only recognized by Win7 and higher, which means that files would appear unsigned on older operating systems (although the files are signed).
For some time in the past files were dual signed with two hash functions (SHA256 and SHA1) and they were properly recognized as signed in older systems. I don't know if it's still possible.
Andrzej P. Wozniak
Polish subforum moderator
User avatar
DrShark
Power Member
Power Member
Posts: 1872
Joined: 2006-11-03, 22:26 UTC
Location: Kyiv, 68/262
Contact:

Re: Binaries with outdated digital certificates or unsigned

Post by *DrShark »

Slavic wrote: 2021-03-27, 08:43 UTC CGLPT64.SYS - 12/05/2011 (same as in x64)
CGLPTNT.SYS - 12/05/2011
For these files an old signature is used intentionally to make them work in modern Windows, as explained in following post: https://ghisler.ch/board/viewtopic.php?p=358925#p358925
Donate for Ukraine to help stop Russian invasion!
Ukraine's National Bank special bank account:
UA843000010000000047330992708
Slavic
Senior Member
Senior Member
Posts: 290
Joined: 2006-02-26, 15:41 UTC
Location: Montenegro

Re: Binaries with outdated digital certificates or unsigned

Post by *Slavic »

I should agree that current situation with signing is far from perfect (as it was imagined at introduction) and sometimes intentional use of outdated certificates has a reason because of illogical (ill-logical) position of Windows developers which we, unfortunately, cannot correct.

But on the other side, the signing is useful simply as a method of integrity checking, that DLL hasn't been damaged, modified or replaced, and even outdated, the certificate is able to play this role as long as the certificate chain is valid. So, I would suggest to have signed as many DLLs as possible.
Desktop: Windows 11 Pro 23H2, TC 11.03(RC). Mobile: Pixel 5a, Android 14, TC 3.42b5
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Binaries with outdated digital certificates or unsigned

Post by *ghisler(Author) »

List of outdated and unsigned binaries in TC 10.00b3 distribution:
That's not how signatures work: Windows signing uses a mechanism called timestamping: A timestamp of the time when the file was signed is added. This timestamp is created by a special secure timestamp server, so the timestamp cannot be faked. Windows acknowledges a certificate as valid when the signature was created witin the validity period of the certificate. Example
If the certificate is valid from 1/1/2001 to 1/1/2003 and the timestamp is within that period, then the certificate is valid.
Author of Total Commander
https://www.ghisler.com
Post Reply