I am trying to have InstallShield 2015 (stand-alone) sign my setup.exe and the Installer** in the build. The build is running on Windows 2008 R2 SP1.
I have researched most of the suggestions from https://flexeracommunity.force.com/customer/articles/en_US/ERRDOC/Build-Error-1027
Is it because of https://community.flexerasoftware.com/archive/index.php?t-220438.html ?

- This build worked a year ago on the same machine. However, it was using signcode (not signtool) and .pvk, .spc files. I replaced the expired certificate with a valid new .pfx file.
It fails with
"Started signing 4005.tmp ...
ISDEV : fatal error -1027: Failed signing 4005.tmp"

More details:
File size for "F:\win32\install\win32\template\setup.exe": 3824603
File size for "F:\win32\install\win32\template\Setup.ini": 5224

- No signtool.exe came in I/S Stand-Alone. Tried copying signtool.exe (V6.2.9200...) from MS .Net 2008 to <PROGRAMFILES>\InstallShield\<Product>\Support and ... \System with no success.

We have also tried - running signtool.exe out of D:\SDK\8.0/bin/x86 in the build.

- From the command line on the build machine running signtool.exe works only, when signtool.exe is run from the MS SDK directory:

HOWEVER, signtool.exe on the command line does NOT WORK when run from other directories even with it in the path. Not sure if this is the root cause

When signing outside of InstallShield in the build - signtool works, There are over 90 calls to signtool visible in the build logs before the failure
For example
G:\win32\src\libraries\cppunit>D:\SDK\8.0/bin/x64/signtool.exe sign /f G:\win32\include\win32\mypfx.pfx /p xxxxxx /t http://timestamp.verisign.com/scripts/timstamp.dll /v cppunit_dll.dll
The following certificate was selected:
Issued to: ...
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: Thu Nov 01 18:59:59 2018
SHA1 hash: E5C81C59E8BA81C9F32C0FC3F05F78924724B4EC

And it works on Windows 7 local build using same signtool.exe.

I have tried numerous path variable combinations - moving .pfx to I/S proj folder, etc . Tried putting mypfx.pfx in the I/S Support directory too.
- and hash settings etc
And tried different timestamp servers (and none), different hash options too.

** If I remove signing the setup.exe and leave only the installer I get this different error information:
Started signing certificate.msi ...
ISDEV : fatal error -1027: Failed signing package. Verify that a valid digital certificate file exists in the specified location.
Creating path "F:\win32\install\win32\template Data\LogFiles"
Product Configuration 1\Release 1 - 1 error(s), 6 warning(s)
Log file has been created: <file:F:\win32\install\win32\template Data\LogFiles\11-20-2017 12-43-15 PM.txt>

- Is there a way to get more information /trace on the signtool in the output file to see how I/S invokes signtool?

Thank you