PDA

View Full Version : cannot get sha256 timestamps to work



delder
10-01-2015, 03:04 PM
I am able to sign and timestamp my own exe files using signtool with my new sha256 verisign authenticode certificate. The signature works fine from windows 7 to 10. Both the signature and timestamp use sha256.

However, I am unable to get the InstallShield 2015 to properly timestamp my MSI installer.

By default it uses the non-sha256 timestamper supplied by verisign. If I edit the settings.XML file to use the same sha-256 compliant timestamper that I use on my exe files (http://timestamp.entrust.net/TSS/RFC3161sha2TS), the time stamp gets left out of the MSI file. So I end up with a signed MSI file that has no timestamp.

I suppose this is not surprising since the settings.xml file does not let you specify any of the required signtool parameters when you switch to sha256.

Is there any chance the InstallShield 2015 will be updated to fully support sha256 certificates and sha256 timestamping?

My main reason for using InstallShield 2015 was to be ready for Microsoft's forced sha256 authenticode requirements.

chad.smith2
04-01-2016, 11:14 AM
Hoping that there is a solution here. Does changing the settings.xml file to a new time server work for anyone else?

rguggisberg
04-04-2016, 04:01 PM
This does work for me. Are you aware that as of InstallShield 2015 SignTool.exe is no longer distributed with InstallShield? Copy it manually.