PDA

View Full Version : Extended validation code signing



Robert Fairlie
01-17-2014, 08:17 AM
Hi,

I currently use InstallShield 2012 Spring Express to create a SingleImage install consisting of an msi and a setup.exe. Currently I'm using the "Signing" tab to sign both the msi and the exe.

I'm about to upgrade to an EV code signing certificate and I'm trying to get idea of any problems I'm likely to encounter when signing the install package with the new certificate. This post:

http://community.flexerasoftware.com/showthread.php?204679-Signing-with-Extended-Validation-Authenticode-Certificate-Security-Token

mentions that automatic signing can't be used, and that manual signing of the exe works, but that doesn't solve the problem of signing the msi.

The same post mentions that it might be possible to create an msi project, manually sign that, and then create a setup.exe from from the msi project and manualy sign the exe. If this was possible, that would be ok for me since I don't build installs very often. However the post doesn't go into any details of how to create the setup.exe from the msi. Can anyone tell me if this is possible, and if so, how to go about it?

Thanks for any advice,

Robert

Imhotep
03-10-2016, 10:09 AM
Hi,

I currently use InstallShield 2012 Spring Express to create a SingleImage install consisting of an msi and a setup.exe. Currently I'm using the "Signing" tab to sign both the msi and the exe.

I'm about to upgrade to an EV code signing certificate and I'm trying to get idea of any problems I'm likely to encounter when signing the install package with the new certificate. This post:

http://community.flexerasoftware.com/showthread.php?204679-Signing-with-Extended-Validation-Authenticode-Certificate-Security-Token

mentions that automatic signing can't be used, and that manual signing of the exe works, but that doesn't solve the problem of signing the msi.

The same post mentions that it might be possible to create an msi project, manually sign that, and then create a setup.exe from from the msi project and manualy sign the exe. If this was possible, that would be ok for me since I don't build installs very often. However the post doesn't go into any details of how to create the setup.exe from the msi. Can anyone tell me if this is possible, and if so, how to go about it?

Thanks for any advice,

Robert

Hi Robert,
The solution is relatively simple. InstallShield ships with a version of signtool.exe that it calls to sign the MSI file (and anything else). Rename that as (e.g.) isSignTool.exe and replace it with one that alters the parameters it is called with, then calls the renamed version (see example C# code below):

static int Main(string[] args)
{
try
{
int argc = 0;
string newargs = string.Empty;
bool skipnext = false;
bool addedSHA1 = false;
foreach (string arg in args)
{
// Skip file (.pfx), URL and password arguments, as we are going to inject our SHA1 argument instead
// Note we only do this if the parameters come in the right order (/f ... /p ...) and the file name contains <YOURPFXFILENAME>
if (arg == "/f")
{
if (args[argc + 1].Contains("<YOURPFXFILENAME>"))
{
skipnext = true;
if (!addedSHA1)
{
newargs += " /s my /sha1 <YOURSHA1CODE>"; // TODO: REPLACE THIS FOR EACH NEW CERTIFICATE!
addedSHA1 = true;
}
}
}
else if (addedSHA1 && (arg == "/p"))
{
skipnext = true;
}
else if (addedSHA1 && (arg == "/du"))
{
skipnext = true;
}
else if (!skipnext)
{
// Copy argument to newargs
if (arg.Contains(' '))
{
newargs += " \"" + arg + "\"";
}
else
{
newargs += " " + arg;
}
}
else
{
// We have skipped either the file or the password! Next argument may be ok to copy
skipnext = false;
}

argc++;
}

// Now start the real signtool.exe, which we have renamed and replaced!
string location = Assembly.GetEntryAssembly().Location;
location = location.Substring(0, location.LastIndexOf('\\'));
Process p = Process.Start(location + @"\isSignTool.exe", newargs);
p.WaitForExit();
return p.ExitCode;
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
return -1;
}
}

Imhotep.

Robert Fairlie
03-19-2016, 05:34 AM
Thanks for that. Unfortunately I've now upgraded to InstallShield Express 2015, and they appear to have stopped shipping(/using?) signtool.exe. In the 2015 release notes it says "SignTool.exe and Signcode.exe are no longer installed on your machine when you install InstallShield. If you want to digitally sign your files manually, consider using SignTool.exe, which is installed with Visual Studio and included in the Microsoft Windows Software Development Kit (SDK)." However, they don't suggest how to manually sign the msi before it get packaged into the setup exe, either for EV or non-EV signing.

What I've done in the meantime is buy a Comodo non-EV certificate and use that to sign the msi from within InstallShield, and use EV signing on setup.exe. That seems to be working OK, but I'd still like to hear of any proper solutions, it would be nice not to have to buy two certificates.

Robert

Robert Fairlie
03-19-2016, 05:36 AM
Thanks for that. Unfortunately I've now upgraded to InstallShield Express 2015, and they appear to have stopped shipping signtool.exe separately. In the 2015 release notes it says "SignTool.exe and Signcode.exe are no longer installed on your machine when you install InstallShield. If you want to digitally sign your files manually, consider using SignTool.exe, which is installed with Visual Studio and included in the Microsoft Windows Software Development Kit (SDK)." However, they don't suggest how to manually sign the msi before it get packaged into the setup exe, either for EV or non-EV signing.

What I've done in the meantime is buy a Comodo non-EV certificate and use that to sign the msi from within InstallShield, and use EV signing on setup.exe. That seems to be working OK, but I'd still like to hear of any proper solutions, it would be nice not to have to buy two certificates.

Robert

Imhotep
05-09-2016, 06:55 AM
I don't have 2012, so thanks for the heads up for when we finally upgrade, Robert! We were looking at having to buy 2 certificates too, until I worked out the solution above. Good luck, and if you find a solution, please post it back here :) I hope my solution helps others though.
Imhotep

EnriqueAdatt
08-23-2017, 08:33 PM
Thanks Didge.

Just ordered a long sleeve T and the code is still working. Id never heard of linebreak before, but with that discount it was too good to go past. Looking forward to getting them.

Cheers