Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 6

Code signing and build automation to date

Within the last year we updated our packaging tool from IS 10.5 to IS 2010 (just before 2011 went Beta and later released).

One of the things I pitched to get the update (small shop small budget) was that I would be able to use code signing in our release builds.

Very recently I got them to spring for a signing certificate and happily hooked up the .spc, .pvk and certificate password information to my (IS 2010 Basic MSI) project. I ran a test build and sure enough it showed me that it was signing the .msi and setup.exe. Easy Peasy! I figured I was golden.

I checked in my project changes to TFS Source Control (TFS2008) and queued a product build. The software components built but the InstallShield package build hung. I eventually stopped the build.

There was nothing in the build log to indicate why the package build was hanging but I figured that it must have been the package signing considering that it was the only change.

So I ran the build from the command line (e.g. msbuild tfsbuild.proj /t:MakePackages) and lo, up pops a prompt for a certificate password. Now I didn't see this when running the build from the IS IDE but the command line build issued from within the build script pops up the password prompt window. My script uses IsCmdBld.exe (because IS 2010 Pro doesn't come with a standalone build like IS 10.5 did and I didn't want to fight for the upgrade to Premier to get it, different story).

Now what do I do? I dived back into the community and Googled and Binged and it appears that this is a relatively common problem. However, of the most recent information, it looked like the solution was to use a .pfx type Digital Certificate file which combines the .spc and .pvk file information.

I generated the .pfx using pvk2pfx.exe which I found in my \Program Files\Windows SDK\v6.1 (there is also a version in the v6.0 SDK).

Then I plugged this .pfx file in as the Digital certificate file, cleared the Private key file value and entered the Certificate password value.

I then built the package using the IDE and when that was successful used the desktop build (no pop up windows appeared) and when that was successful ran the automated build. That too was successful although it did add 2-3 minutes to the total product build time.

OK... so what is the takeaway here. Use .pfx Certificate files if you are planning to automate the build and you want both the Setup.exe and Windows Installer package to be signed.

The questions that I might ask, having viewed the long standing difficulties evidenced by the posts within the community, why is this still so difficult (at Installshield 2010) and why allow .spc+.pvk files to be used at all if they still lead to problems with code signing during automated builds?

The question is more or less rhetorical at this point as my problem is solved. I've posted my experience in case it is useful to others.

Labels (1)
0 Kudos
1 Reply
Level 6

I ran into this problem about a year ago. Before I figured out that .pfx files worked, I was using a signcode window monitoring tool to automatically fill in the certificate password if ever the signcode window popped up. I've since converted to .pfx files and haven't looked back since.
0 Kudos