PDA

View Full Version : Improved Digital Signing



rchand445
05-23-2007, 04:36 PM
Nice job on improving the digital signing process!

MichaelU
05-24-2007, 10:30 AM
Thanks! Have you already switched over to using a .pfx certificate, and have you had any problems doing so, or figuring out how to do so?

rchand445
05-24-2007, 11:02 AM
Actually I have been using a pfx file since last year. I automated the build process using the standalone build module and Nant scripting. At that time I used signtool and the pfx file to sign the install media instead of Installshield's build engine in order to overcome the password prompt during the build process.

To convert my spc and pvk certificate files to a pfx file, I downloaded the pvkimprt tool from microsoft ( www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN) then ran the following command from the command line:

pvkimprt -PFX <path to spc file> <path to pvk file>

The tool asks for an export file name, which you enter as your desired pfx file name.

Gvarma
05-31-2007, 06:03 PM
Actually I have been using a pfx file since last year. I automated the build process using the standalone build module and Nant scripting. At that time I used signtool and the pfx file to sign the install media instead of Installshield's build engine in order to overcome the password prompt during the build process.

To convert my spc and pvk certificate files to a pfx file, I downloaded the pvkimprt tool from microsoft ( www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN) then ran the following command from the command line:

pvkimprt -PFX <path to spc file> <path to pvk file>

The tool asks for an export file name, which you enter as your desired pfx file name.

Hi,

Is it possible to use Digital Signature part of Installshield outside 2008? Well I sign .DOT and other application binaries (exe, dll, ocx etc) on every day basis and i get between 30 to 100 files everyday, now signing these files everyday manually, one by one is a "paint in the butt (pardon my language)", I was wondering if there is a solution out there , which can be used to collectivly sign files?

TIA

rchand445
05-31-2007, 10:35 PM
Well, now it appears you have two options.

Installshield 2008 allows you to sign dll's, executables, and other files as well as the traditional setup files. I don't have the IDE up and running at the moment, but I believe that this feature is available in the release configuration view.

You can also call Microsoft's version of signtool.exe from a script or batch process. Signtool.exe is available if you install Visual Studio 2005 or Microsoft's Platform SDK. For further information on the use of signtool.exe go here (http://msdn2.microsoft.com/en-us/library/8s9b9yaz(VS.80).aspx).

Note that this tool is used to sign files for compatiblity with Internet Explorer. To sign files for compatibility with Netscape or Mozilla based browsers, you will need to use Netscape's version of signtool.exe. I'm not sure that this tool is currently supported or available for download.

LanceRas
05-31-2007, 11:14 PM
I too agree that the efforts toward digital signing and signing more than just the installer is a big improvement.

Gvarma
06-01-2007, 01:04 PM
Well, now it appears you have two options.

Installshield 2008 allows you to sign dll's, executables, and other files as well as the traditional setup files. I don't have the IDE up and running at the moment, but I believe that this feature is available in the release configuration view.

You can also call Microsoft's version of signtool.exe from a script or batch process. Signtool.exe is available if you install Visual Studio 2005 or Microsoft's Platform SDK. For further information on the use of signtool.exe go here (http://msdn2.microsoft.com/en-us/library/8s9b9yaz(VS.80).aspx).

Note that this tool is used to sign files for compatiblity with Internet Explorer. To sign files for compatibility with Netscape or Mozilla based browsers, you will need to use Netscape's version of signtool.exe. I'm not sure that this tool is currently supported or available for download.

Hi,

Thanks for your response. The signtool.exe is useful when you are signing exe.dll etc what about Macro Enabled Word templates (.dot, docm etc) file. Is there a way to collectivly sing all macro enabled files? its a big pain when you have to open each templates and sign the macro one by one.

TIA

rchand445
06-01-2007, 01:24 PM
Quite frankly I have never had the "pleasure" of digitally signing MS Office documents. Have you seen this article before?

Digitally Sign a Word 2002 Document and Programmatically Retrieve Digital Signature Information (http://msdn2.microsoft.com/en-us/library/aa140281(office.10).aspx)