Summary

The InstallShield digital signing feature uses a timestamp server from Symantec which is being decommissioned and migrated to Digicert. Signing with new Digicert URL causes a breakage in Digital Signing.

Symptoms

When signing an installer with SHA-256 digest, using the new Digicert server (http://timestamp.digicert.com), the resulting installer is signed by SHA-256 digest, but the counter signatures are signed with SHA1 due to an incorrect order in which InstallShield calls the signing APIs.

Affected InstallShield Versions

• InstallShield 2015 SP2
• InstallShield 2016 SP2
• InstallShield 2018 R2
• InstallShield 2019 R2

All minor releases of the above releases are included.

Resolution

• The issue is resolved in a hotfix that can be downloaded from this link. Please note that the hotfix is applicable on the latest service packs of above affected versions.
• After applying the hotfix, update the Settings.xml file in <InstallShield_InstallPath>/Support/0409 with new URLs.

Before

<DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/><DigitalSignature TimestampRFC3161="http://sha256timestamp.ws.symantec.com/sha256/timestamp"/>

After

<DigitalSignature Timestamp="http://timestamp.digicert.com"/>
<DigitalSignature TimestampRFC3161="http://timestamp.digicert.com"/>

NOTE: For Japanese, Settings.xml can be found at <InstallShield_InstallPath>/Support/0411.

Additional Information

If there are any additional issues, contact Revenera Technical Support.