PDA

View Full Version : New Signing Requirements....



Superfreak3
02-09-2016, 09:13 AM
Hi all,

Real quick question, does IS 2015 handle new .msi and file signing requirements...

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Concerns_with_MSIs

... and, if not, will it be coming in a future edition does anyone know?

Thanks for any info!!

LanceRas
02-10-2016, 05:16 PM
IS2015 doesn't support dual signing, which is something that is needed in order to deploy installers properly for XP SP3, Vista, Server 2003 and Server 2008 installs.

You can certainly dual-sign your EXE/DLL's outside of IS2015 and set the appropriate settings in IS2015 Project to not resign the signed files.

You can also, if deploying a single file Setup.EXE, dual sign the Setup.EXE outside of IS2015.

The problem will be the MSI file. Until Flexera adds the ability to dual-sign signing the MSI package after combining the files into the MSI package, but prior to including in the Setup.EXE file, it's not going to help much. While it would also be nice to be able to dual sign the included files or final EXE, at least you can do it with Codesign.

I've not verified, but supposedly Installaware supports dual signing. But since my preference has been with Flexera for many years, I simply hope the folks realize that this is important to support still.

Superfreak3
02-10-2016, 05:25 PM
IS2015 doesn't support dual signing, which is something that is needed in order to deploy installers properly for XP SP3, Vista, Server 2003 and Server 2008 installs.

You can certainly dual-sign your EXE/DLL's outside of IS2015 and set the appropriate settings in IS2015 Project to not resign the signed files.

You can also, if deploying a single file Setup.EXE, dual sign the Setup.EXE outside of IS2015.

The problem will be the MSI file. Until Flexera adds the ability to dual-sign signing the MSI package after combining the files into the MSI package, but prior to including in the Setup.EXE file, it's not going to help much. While it would also be nice to be able to dual sign the included files or final EXE, at least you can do it with Codesign.

I've not verified, but supposedly Installaware supports dual signing. But since my preference has been with Flexera for many years, I simply hope the folks realize that this is important to support still.

So the dual signing is really only needed for support of older OSs? If we are not to support the older OSs we can just go with using the newer certificate? I received a reply from IS support on this (http://helpnet.flexerasoftware.com/installshield22helplib/installshield22helplib.htm#StartTopic=helplibrary/whats_newIS2015.htm) and it seems you just have to point to the new certificate file for single signing using the newer type certificate.

I'll have to check with the powers that be to see what we will support and what we will not.

What happens on the newer OSs if we stay with the older certificate - messages of unrecognized publisher, but the installer will continue if user desires?