InstallShield appears to use the default SHA-1 when signing. How is this set to the newer standard? I don't see the digest type listed in the signing options. Signtool.exe supports /fd SHA256, for example.
I read somewhere that Microsoft stops support for SHA-1 on January 1, 2016.
We don't offer this out of the box today, but are tracking a feature request for adding it as IOJ-1700927. If you can find the source for SHA-1 being unsupported, I can add that to our report as supporting evidence to prioritize this feature.
If you need this kind of signature immediately, you can either sign files yourself at a later point, or create a wrapper for signtool.exe that intercepts the command line arguments we pass to \System\signtool.exe and does something else instead.
For code signing certificates, Windows will stop accepting SHA1 code signing certificates without time stamps after 1 January 2016. SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack."
It isn't clear to me exactly what Microsoft's policy where code signing is concerned but their intent is clear enough: stop using SHA-1 if you can. The bottom line is that SHA-1 is weak so its use is deprecated wherever possible.
Thanks much for the links; they provide pretty strong rationale to add official support ASAP. Unfortunately I can't make any guarantees when "ASAP" means, but I'll be pushing for adding it to our next major release.
MichaelU wrote: We don't offer this out of the box today, but are tracking a feature request for adding it as IOJ-1700927. If you can find the source for SHA-1 being unsupported, I can add that to our report as supporting evidence to prioritize this feature.
If you need this kind of signature immediately, you can either sign files yourself at a later point, or create a wrapper for signtool.exe that intercepts the command line arguments we pass to \System\signtool.exe and does something else instead.
I have a wrapper for this that works---allowing me to SHA256 sign---that I'm willing to post.... but I can't get the codesigning of the MSI file to work at all without the wrapper! I can sign the EXE/DLLs, I can sign the final setup exe, but anytime I turn on MSI signing (ie by itself, or with the MSI+EXE option) I get
ISDEV : error -6003: An error occurred streaming 'C:\C...\PROJECT_ASSISTANT\SINGLE_EXE_IMAGE\DiskImages\DISK1\XXX.isc' into setup.exe ISDEV : error -6003: An error occurred streaming 'C:\...\PROJECT_ASSISTANT\SINGLE_EXE_IMAGE\DiskImages\DISK1\XXX.msi' into setup.exe
Again, this is just with the stock unmodified product. I concede I'm using IS2011, but I expect base functionality like this to work. Antivirus is off. It's not exactly an incentive to upgrade knowing that SHA256 isn't addressed.
Are there known issues in the signing? Any way to get the msi, sign it separately, then generate the final EXE? Thanks.
Working SHA-2/SHA256 signtool wrapper --- special purpose for use in InstallShield. Can SHA-2 sign exes, dlls, msis. Signing problem I had was due to Microsoft's 2949927 update, uninstall that!
[CODE]#include #include #include
// Mock signtool.exe to replace // C:\program files (x86)\Installshield\2011\System\signtool.exe (or equivalent) // allowing you to supply better arguments than InstallShield allows // Limited functionality, just for use by InstallShield // // To compile: // Open command line window // Set up MS Visual Studio commandline args with vcvars32 // cl signtool.cpp // Drag signtool.exe to the installshield folder above. // *** Do NOT replace your main signtool.exe below! // // Create a batch file to supply the desired arguments, with the // same name as your pfx file, but with a .bat extension // In this sample batch file, you need to: // Adjust the path to the "real" signtool.exe // --- ie a modern one that handles SHA-2 // Stick in whatever arguments you want, ie your timestamper // (The sha2 arguments are already there) // //++++++++++++++ // SET tool=C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe // "%tool%" sign /v /fd sha256 /tr http://timestamp.digicert.com /td sha256 /f %2 /p %3 %1 //-------------- // You can put a "pause" at the end of the batch file to watch it go for testing
Please note that by using the following hack you will change installed system in your own responsibility. Backup any file prior changing/replacing it.
1. Replace the C:\program files (x86)\Installshield\201x\System\signtool.exe by the version from Windows 7 SDK. 2. Inject the command line parameter into URL in your project i.e. http://www.yourdomain.com" /fd sha256"
InstallShield 2015, which was just released today, has built-in SHA-256 support for code-signing your installations and files at build time. For more details, see the InstallShield 2015 release notes.
Signing SHA256 with Installshield 2015 works but I didn't find a way to use the timeserver "http://timestamp.geotrust.com/tsa". Commandline: "/tr http://timestamp.geotrust.com/tsa instead" of "/t http://timestamp.verisign.com/scripts/timstamp.dll" It looks like that the parameter /tr is nor suppoerted.
/tr URL Specifies the URL of the RFC 3161 time stamp server.
