PDA

View Full Version : Problem Signing files with ISE-2008



MLefebvre
09-07-2007, 11:13 AM
Hi,

The only reason why I upgraded from an older version of ISE is the need to sign the .EXE files for Vista.

But problem ! If I enter the certificate password in the "Signing" tab of the Build parameter page (and of course, it first seemed to me a good idea to do so ...), here is what happens :
- The process takes years, with my system being almost blocked (nearly 100% cpu time, most of it in Kernel mode) by ISDEV.EXE.
- The password is asked to me anyway in a popup window, for each file to be signed !

If I do NOT enter any password there, it works ok, except of course that I have to answer the password popup dialog for each signed file.

In addition, ISE signs 2 or 3 additional files named NNN.tmp (with as many prompts for password ...), that are not part of the final package, so why ?

I am running ISE on a W-2000 SP4 system. The certificate is a Developer Certificate from Thawte.

Is this is a known bug ? Is there is a turnaround solution or available update to fix that ? Thanks in advance for your answer.

ML

DebbieL
09-10-2007, 08:14 AM
It sounds like you are using an .spc file and a .pvk file to digitally sign your files.

If you specify an .spc file and a .pvk file for signing, InstallShield uses Signcode.exe to sign your files. If you specify a .pfx file, InstallShield uses SignTool.exe to sign your files.

Using a .pfx file is often the preferred method, since the SignTool.exe utility accepts the password as a command-line parameter, and InstallShield can then pass the password to SignTool.exe during builds, instead of displaying that password prompt. Therefore, if you specify the digital signature password in InstallShield, you will never see a password prompt when you are using a .pfx file. Signcode.exe doesn't support a command-line parameter for passing the password, so that's why you may see the password prompts.

The following help topic describes some tools that you can use to create a .pfx file from .spc and .pvk files:
Digital Signing and Security (http://helpnet.macrovision.com/Robo/BIN/Robo.dll?tpc=/robo/projects/isxhelp14/DigitalSigningSecurity.htm)

About the temporary files that were being signed: It sounds like the Sign files in their original location check box on the Signing tab is cleared in your project. For a description of the behavior that you're encountering, see the description of that check box in the following help topic:
Signing Tab (http://helpnet.macrovision.com/Robo/BIN/Robo.dll?tpc=/robo/projects/isxhelp14/ReleaseGridSigningTab.htm)

Debbie Landers
Macrovision Corporation

MichaelU
09-10-2007, 09:24 AM
Another likely suspect for the NNN.tmp files is signing of the resource exe in which we store icons (also for Vista Logo reasons). This would be used for shortcut icons as well as the Add or Remove Programs icon, so the 2 to 3 extra signings could easily be covered by that.

MLefebvre
09-10-2007, 09:57 AM
First, thanks for the tip about the pvk/pfx alternative. By the way, this would be worth a better explanation in the help file.

About the signing of the extra files, I do not understand what the "check in original location" option has to do with that. But never mind, that is not a big deal.

Still, there is this problem of ISDEV.EXE looping with ~100% CPU in the case I mentioned. Sounds like a bug, no ? It is ok as long as I remember to "NEVER EVER enter a password here", but I am pretty sure that some day I'll forget it and get into some headache again ...