This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
FunkyDexter
Level 4
‎Dec 21, 2023 09:58 AM

Digital Signing Certificate not being used

Hoping someone can help with this.  I'll openly admit I know practically nothing about how to set up Digital Signing so please forgive any dumb questions I may ask.

We have a WPF solution for which we build out installer using InstallShield 2019 R3 Express edition.  We've previously had a digital signing certificate from GoDaddy.  I've always used this by popping a USB into the laptop and I can manage this using the Safenet Client from my systray.  Building the installer would then ask for a password and would then sign the various components in the exe.  This has worked fine until now.

Our GoDaddy cert expired so we've purchased a new one through global sign.  They provided us with a .cer file which I was able to import using the Safenet client.  This created an entry in the CA Certificates section which all looks good and shows as being eligible for Code Signing.  From that entry I installed the certificate selecting Local Machine and then the Personal store.

I've updated out install package from the releases tab.  On the SingleImage node I selected Use a Certificate Store, Personal and Machine options and left the Signature Digest as Based on a Certificate Hash.  If I view details I can see that it is looking at the correct certificate.

So I save that and try to rebuild the project.  I get a series of -1027 errors (Failed Signing xxxx where x is the dll, exe etc.)  This is the same behaviour I've always had in the past if I built without inserting the USB key or failed to provide a password.  So my best guess is that the build can't actually access and/or use the certificate, even though I think I've done everything needed to hook them up.

Any ideas what I'm doing wrong?  Have I perhaps missed a step?

Labels (1)
0 Kudos
(4) Replies
banna_k
Revenera
Revenera
‎Dec 26, 2023 10:50 AM

@FunkyDexter :

Can you check whether you can sign using the windows signtool or not, and I hope you need to configure the password for the new certificate you received from the global sign. 

 

0 Kudos
FunkyDexter
Level 4
In response to banna_k
‎Dec 27, 2023 08:41 AM

Thanks for the reply and Happy Christmas

I'm not really sure what I'm doing with the windows signtool as I've never used it before but I did a bit of googling and I'm not sure if it worked or not.  Here's what I did:-

  • Found the Signtool under Windows Kits/10/xxxx/bin
  • Copied the new pfx file to that location (n.b. as described above I think we usually use the cer file but the instructions I found were for the pfx so I went with that). 
  • Ran the following from cmd: Signtool sign /f aquatorsigningcert-AquatorSigningCert10-XXXX.pfx /fd SHA256 "C:\Users\dhillier\source\repos\AquatorXVSuite\Aquator XV Installer\Express\SingleImage\DiskImages\DISK1\setup.exe"

I got a message saying Done Adding Additional Store followed by a message saying Successfully signed: C:\Users\dhillier\source\repos\AquatorXVSuite\Aquator XV Installer\Express\SingleImage\DiskImages\DISK1\setup.exe

However, if I run the setup.exe it unpacks the msi and then gives me the popup message asking if I want to install the package from an unknown provider.

So if I read that correctly the tool is telling me that it worked but the exe doesn't seem to actually be signed.

 

Edit> I found instructions on how to verify the signing and that reports successfully verified.  I'm still getting the unknown publisher message when I run the exe though.

0 Kudos
varul
Revenera Moderator Revenera Moderator
Revenera Moderator
In response to FunkyDexter
‎Jan 02, 2024 12:44 AM

Hi @FunkyDexter ,

  Try to import the certificate to trusted root location, by following below KB and then check the installation and verify still you see unknown publisher error.

https://community.flexera.com/t5/InstallShield-Knowledge-Base/How-to-add-certificates-to-the-Trusted-Root-Certification/ta-p/4118

0 Kudos
FunkyDexter
Level 4
In response to varul
‎Jan 02, 2024 05:39 AM

Hi.  Thanks for the response.  I've done that but I don't think it worked.  Here's the steps I carried out:-

  1. Ran mmc
  2. Added the Certificates Snap in selecting the following options:-
    1. Computer Account
    2. Local Computer
  3. Added the certificate to the Trusted Root Certification Authorities store using the following options:-
    1. Browse to the .cer file
    2. Place certificates in the following store :  Trusted Root Certification Authorities
    3. Looked for the certificate in the certificates node and believe I can see it.
  4. N.b. When I close mmc at this point it asks me if I want to save changes to mmc.  I've saved changes but I don't think this should matter as the certificate being saved was handled by the import.
  5. Open the InstallShield package and Go to the signing tab on Prepare For Release.  
  6. Browse for the certificate and select it using the following options:-
    1. Trusted Root Certification Authorities
    2. Machine
    3. <Certificate Name> - I used view details to check this was the right one and it seems to be
    4. Based on Certificate Hash
  7. Rebuild. - The package builds fine but I still get the 1027 Failed to Sign errors.
  8. If I try to run the built Setup.exe I get the Unknown Publisher message

So this feels like I'm at the same place.  I think the certificate is installed correctly but the installer package isn't using it for some reason.

0 Kudos