QuickBooks desktop users running older versions of some desktop add-on products are starting to run into problems where they cannot get these apps to connect to QuickBooks. This started with a small number of users, but it is becoming a bigger problem as time moves on.
Charlie Russell will be presenting the session, Recent Developments in QuickBooks and Looking Ahead, at Accountex 2016.
You may find that you are confronted by this error dialog when running the add-on program:
Code Signing Certificates
Desktop software products can be “digitally signed” with a code signing certificate. This is a security feature that was originally set up in the 1990s to provide a way to verify that the software that you install does indeed come from the publisher that you expect. It is a good thing!
When you have requested an add-on product to connect to the QuickBooks database, QuickBooks will look to see if the software is properly signed. There are three possible outcomes:
- The software can be properly signed, and you can let it connect to the database (or not, if you don’t want it to).
- The software can be unsigned. If this occurs, QuickBooks will point out that it isn’t signed and that there is some possibility that the software isn’t what you expect it to be. However, you can still let it connect to your database.
- The software could have a “revoked” certificate. That is, for some reason, the software developer or some other authority has withdrawn support for the certificate. In this case, QuickBooks won’t allow the software to connect.
The problem is, the cryptographic method used to protect code signing (SHA-1), which has been used for many years, is getting old. With modern technology, researchers have shown that it can be broken. So, Microsoft is telling software developers that they need to upgrade their certificates to a newer, more secure version: SHA-256.
Why This Breaks Some Software
Microsoft has started rolling out updates to Windows that will invalidate older SHA-1 certificates. At this time we are starting to see this occur in Windows 10. I’m not sure which update to Windows 10 includes this change. Some Windows 10 systems aren’t showing the problem, others are.
These updates should also be rolled out to Windows 7 and Windows 8 in the coming months.
When your Windows system gets this update, any SHA-1 certificates will be deemed invalid.
So, if you are running a version of an add-on program that hasn’t been updated to a SHA-256 code signing certificate, at some point in the near future you are going to see that “Revoked Certificate” error showing up. You won’t get any warning – one day the software will work, the next day it will stop. The problem isn’t that the software vendor “revoked” their own certificate. The problem is that you are running an older product. Windows no longer accepts the certificate and QuickBooks won’t let the software access your data with that certificate.
The odd thing is that if your software was not code signed, you wouldn’t have this problem! QuickBooks will let unsigned software access your data, which is less secure than allowing a product that has the older, less secure signing.
Update Your Software, If You Can
Developers can update their software from SHA-1 to SHA-256 by spending some money for a new certificate, and then generating a new version of the software. For many users, this just means that you need to upgrade your add-on products if you haven’t already.
Some developers may charge you a fee to move up to their latest release.
Unfortunately, there are some software products that people are using that cannot be updated. Some products just cannot be updated for technical reasons – they are too old, the components that they use are hard to update, or it might not be economically feasible to update. In some cases, users may be using software from companies that are no longer in existence.
I’m bringing this up now because it is a problem that is going to grow, and you need to prepare. If you are using an add-on product, ask the developer if they have updated their product. You don’t want to be caught by surprise when your add-on suddenly stops working without warning.
In many situations, upgrading from SHA-1 to SHA-256 isn’t difficult. There are expenses involved, such as purchasing a new certificate, and in generating a new version of the software.