Community Forums
Page 1 of 2 12 LastLast
Results 1 to 5 of 6

Thread: Extended validation code signing

  1. #1
    Join Date
    Oct 2004
    Posts
    5

    Extended validation code signing

    Hi,

    I currently use InstallShield 2012 Spring Express to create a SingleImage install consisting of an msi and a setup.exe. Currently I'm using the "Signing" tab to sign both the msi and the exe.

    I'm about to upgrade to an EV code signing certificate and I'm trying to get idea of any problems I'm likely to encounter when signing the install package with the new certificate. This post:

    http://community.flexerasoftware.com...Security-Token

    mentions that automatic signing can't be used, and that manual signing of the exe works, but that doesn't solve the problem of signing the msi.

    The same post mentions that it might be possible to create an msi project, manually sign that, and then create a setup.exe from from the msi project and manualy sign the exe. If this was possible, that would be ok for me since I don't build installs very often. However the post doesn't go into any details of how to create the setup.exe from the msi. Can anyone tell me if this is possible, and if so, how to go about it?

    Thanks for any advice,

    Robert

  2. #2
    Join Date
    Mar 2016
    Posts
    2
    Quote Originally Posted by Robert Fairlie View Post
    Hi,

    I currently use InstallShield 2012 Spring Express to create a SingleImage install consisting of an msi and a setup.exe. Currently I'm using the "Signing" tab to sign both the msi and the exe.

    I'm about to upgrade to an EV code signing certificate and I'm trying to get idea of any problems I'm likely to encounter when signing the install package with the new certificate. This post:

    http://community.flexerasoftware.com...Security-Token

    mentions that automatic signing can't be used, and that manual signing of the exe works, but that doesn't solve the problem of signing the msi.

    The same post mentions that it might be possible to create an msi project, manually sign that, and then create a setup.exe from from the msi project and manualy sign the exe. If this was possible, that would be ok for me since I don't build installs very often. However the post doesn't go into any details of how to create the setup.exe from the msi. Can anyone tell me if this is possible, and if so, how to go about it?

    Thanks for any advice,

    Robert
    Hi Robert,
    The solution is relatively simple. InstallShield ships with a version of signtool.exe that it calls to sign the MSI file (and anything else). Rename that as (e.g.) isSignTool.exe and replace it with one that alters the parameters it is called with, then calls the renamed version (see example C# code below):

    static int Main(string[] args)
    {
    try
    {
    int argc = 0;
    string newargs = string.Empty;
    bool skipnext = false;
    bool addedSHA1 = false;
    foreach (string arg in args)
    {
    // Skip file (.pfx), URL and password arguments, as we are going to inject our SHA1 argument instead
    // Note we only do this if the parameters come in the right order (/f ... /p ...) and the file name contains <YOURPFXFILENAME>
    if (arg == "/f")
    {
    if (args[argc + 1].Contains("<YOURPFXFILENAME>"))
    {
    skipnext = true;
    if (!addedSHA1)
    {
    newargs += " /s my /sha1 <YOURSHA1CODE>"; // TODO: REPLACE THIS FOR EACH NEW CERTIFICATE!
    addedSHA1 = true;
    }
    }
    }
    else if (addedSHA1 && (arg == "/p"))
    {
    skipnext = true;
    }
    else if (addedSHA1 && (arg == "/du"))
    {
    skipnext = true;
    }
    else if (!skipnext)
    {
    // Copy argument to newargs
    if (arg.Contains(' '))
    {
    newargs += " \"" + arg + "\"";
    }
    else
    {
    newargs += " " + arg;
    }
    }
    else
    {
    // We have skipped either the file or the password! Next argument may be ok to copy
    skipnext = false;
    }

    argc++;
    }

    // Now start the real signtool.exe, which we have renamed and replaced!
    string location = Assembly.GetEntryAssembly().Location;
    location = location.Substring(0, location.LastIndexOf('\\'));
    Process p = Process.Start(location + @"\isSignTool.exe", newargs);
    p.WaitForExit();
    return p.ExitCode;
    }
    catch (Exception ex)
    {
    MessageBox.Show(ex.Message);
    return -1;
    }
    }

    Imhotep.

  3. #3
    Join Date
    Oct 2004
    Posts
    5
    Thanks for that. Unfortunately I've now upgraded to InstallShield Express 2015, and they appear to have stopped shipping(/using?) signtool.exe. In the 2015 release notes it says "SignTool.exe and Signcode.exe are no longer installed on your machine when you install InstallShield. If you want to digitally sign your files manually, consider using SignTool.exe, which is installed with Visual Studio and included in the Microsoft Windows Software Development Kit (SDK)." However, they don't suggest how to manually sign the msi before it get packaged into the setup exe, either for EV or non-EV signing.

    What I've done in the meantime is buy a Comodo non-EV certificate and use that to sign the msi from within InstallShield, and use EV signing on setup.exe. That seems to be working OK, but I'd still like to hear of any proper solutions, it would be nice not to have to buy two certificates.

    Robert

  4. #4
    Join Date
    Oct 2004
    Posts
    5

    Extended validation code signing

    Thanks for that. Unfortunately I've now upgraded to InstallShield Express 2015, and they appear to have stopped shipping signtool.exe separately. In the 2015 release notes it says "SignTool.exe and Signcode.exe are no longer installed on your machine when you install InstallShield. If you want to digitally sign your files manually, consider using SignTool.exe, which is installed with Visual Studio and included in the Microsoft Windows Software Development Kit (SDK)." However, they don't suggest how to manually sign the msi before it get packaged into the setup exe, either for EV or non-EV signing.

    What I've done in the meantime is buy a Comodo non-EV certificate and use that to sign the msi from within InstallShield, and use EV signing on setup.exe. That seems to be working OK, but I'd still like to hear of any proper solutions, it would be nice not to have to buy two certificates.

    Robert

  5. #5
    Join Date
    Mar 2016
    Posts
    2
    I don't have 2012, so thanks for the heads up for when we finally upgrade, Robert! We were looking at having to buy 2 certificates too, until I worked out the solution above. Good luck, and if you find a solution, please post it back here I hope my solution helps others though.
    Imhotep

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •