An update of Visual Installer 2015 is now available

There is now an update of SamLogic Visual Installer 2015 available. The version number is 10.5.16, and some of the news and improvements in this version are:

• The code signing function in Visual Installer now supports SHA-2 and dual code signing (SHA-1 + SHA-2). Windows 7 and later requires SHA-2 for setup packages that are code signed from January 1, 2016 and later. Read more.

• Improved support for Microsoft .NET Framework. Now are also sub versions of .NET Framework supported (for example version 4.5.1, 4.5.2 etc.). And you can let Visual Installer download and install a specific version of .NET Framework, if it is missing in the end-user’s computer. We have added a mini wizard that handles this. Read more.

• Easier to register a type library for a .NET assembly. Read more.

• A new setup dialog box has been added to Visual Installer’s setup wizard: User Options. It’s a general option dialog box where the user can select and unselect options that you have created and added to the installation project. These options co-operates with condition statements in Visual Installer’s scripting language and Visual Installer’s Registry tab. Read more.

• It is now possible to import a VB.NET project that compiles a DLL rather than an EXE file.

• Visual Installer’s scripting language now supports ELSE. Read more.

• Visual Installer now supports environment variables. An environment variable can be expanded during an installation (for example in the Registry tab), and with a new script command, SETENV, that we have added to the script language you can set an environment variable to a specified value.

• The local (right-click) menu in the File list tab has been extended with a new menu item: Add more files from same source folder. This menu command is very useful if you want to add more files to the file list from a previously used folder in the file list. Read more.

How to download the update
If you have Visual Installer 2015 and a 12 months maintenance plan you can download the update from the following download page:

> Download – Visual Installer 2015 – Latest update

If you have an older version of Visual Installer, for example Visual Installer 2014, you can upgrade to the latest version of Visual Installer from this order page:

> Upgrade to Visual Installer 2015

Visual Installer now supports SHA-2 and dual code signing

Since January 1, 2016, Windows 7 and newer Windows will no longer trust software that is signed with a SHA-1 code signing certificate, if the software is downloaded from the Internet and the software is time-stamped with a value greater than January 1, 2016. This means that if you code sign a binary file (for example an EXE file) this year and uses SHA-1 as a hash algorithm, it will not be trusted in newer Windows. Instead you must use a SHA-2 (SHA-256) code signing certificate; then the binary file will be trusted by Windows 7 and newer. You can read more about this in the following articles on Microsoft’s website:

> Windows Enforcement of Authenticode Code Signing and Timestamping
> Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Updated Visual Installer
We have updated our installation tool Visual Installer to support SHA-2 (SHA-256) when it code signs a setup package. We have also updated Visual Installer to support dual signing, so you can code sign a setup package with both SHA-1 and SHA-2. This is very useful if you have software that should be able to run also in older Windows (for example in Windows XP). By code signing a setup package twice, first with SHA-1 and then with SHA-2, your code sign certificate will be useful in both older Windows and newer Windows.

How to change hash algorithm from SHA-1 to SHA-2
In Visual Installer you can change the hash algorithm from SHA-1 to SHA-2, for an existing project, by following the steps below:

1. Start Visual Installer
2. Open your project
3. Choose the Special – Setup options menu item
4. Open the Code Signing tab in the Setup options dialog box
5. Open the Option sub tab
6. Select the Use SHA-2 option

Code Signing - Use SHA-2

7. Close the dialog box

If your minimum system requirements is Windows 7, you can use SHA-2 as a hash algorithm. But if you also want to support older Windows, follow the steps below:

How to dual sign a setup package (SHA-1 and SHA-2)
1. Start Visual Installer
2. Open your project
3. Choose the Special – Setup options menu item
4. Open the Code Signing tab in the Setup options dialog box
5. Open the Option sub tab
6. Select the Use SHA-1 and SHA-2 (recommended) option

Code Signing -Use SHA-1 and SHA-2

7. Close the dialog box

When you open your project file
If you have installed the latest version of Visual Installer 2015 (version 10.5.16 or later) and opens a project file, you may see this message box when you open your project:

Update SignTool.exe

It is recommended to answer yes, so the latest version of Microsoft’s code signing tool is used when a setup package is code signed. If you want to dual sign a setup package, you must have a quite new version of the code signing tool. You can read more in this blog post.

Available in Visual Installer 2015 version 10.5.16 and later
The functionality described above is available in Visual Installer 2015 version 10.5.16 and later; in both the Standard and Professional versions of Visual Installer. If you have an active 1 or 12 months maintenance plan for Visual Installer 2015, you can download this update for free from our download page.

See also
> What is SHA-1 and SHA-2 and what’s the difference between them?
> How to code sign a setup package (Visual Installer tip)

What is SHA-1 and SHA-2 and what’s the difference between them?

As we wrote in this blog post, Visual Installer now supports both SHA-1 and SHA-2 hash algorithms when it code signs setup packages. But maybe you wonder what this really means and what the difference is between SHA-1 and SHA-2? We will give a short explanation below.

SHA (in SHA-1 and SHA-2) is an acronym for Secure Hash Algorithm. SHA-1 and SHA-2 is a set of cryptographic hash functions designed by NSA. Cryptographic hash functions are mathematical operations run on digital data, and by comparing a computed “hash” (the output from an execution of the algorithm) to a known and expected hash value, it is possible to determine the integrity of the data. For example, computing the hash of a downloaded file and comparing the result to a known hash result can show if the downloaded file has been modified or tampered with since it was created.

SHA-1 is older than SHA-2 and it is no longer considered as secure. Operating systems (as Windows) and web browsers will soon not accept SHA-1 anymore. Instead must SHA-2 be used. SHA-2 is a family of six hash functions and one of them is SHA-256, which is commonly used when code signing binary files (for example program files, DLL files and setup packages). SHA-256 produces a 256 bit hash value. That is more than the older SHA-1, that only produces a 160 bit hash value.

For further reading, we recommend the following Wikipedia pages:
> Secure Hash Algorithm
> SHA-1 (Secure Hash Algorithm 1)
> SHA-2 (Secure Hash Algorithm 2)

See also
> What is Code Signing / Digital Signature / Digital Certificate? (Q&A)

Where can I find the latest version of signtool.exe?

When Visual Installer signs a setup package, it runs an external signer tool. Before you could choose between signcode.exe or signtool.exe, but today it is strongly recommended to use signtool.exe because it is newer, and it is the only one that supports SHA-2.

The signtool.exe tool is installed with Visual Studio and with Windows SDK, and Visual Installer will normally find the newest installed version by itself. But if not, you can select the program file manually in Visual Installer’s editor. If you don’t know where it is located, you can search for “signtool.exe” in Windows Explorer.

Try to choose the newest version of signtool.exe that you can find on your hard drive. If you want to dual sign your setup package (with SHA-1 and SHA-2) you must use the signtool.exe tool version that is shipped with Windows 8.1 SDK or Windows 10 SDK. They are usually located in the following folders:

C:\Program Files (x86)\Windows Kits\8.1\bin\x86
C:\Program Files (x86)\Windows Kits\10\bin\x86

If you don’t have any of these folders on your hard disk, you may have not installed Windows 8.1 SDK or Windows 10 SDK. But these SDK:s can be downloaded for free from Microsoft’s website:

> Windows Software Development Kit (SDK) for Windows 8.1
> Windows Software Development Kit (SDK) for Windows 10