- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: Digital Signing an installation package
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Digital Signing an installation package
We need to secure our Installation package with a digital signature.
I'll start with the question: (TL;DR)
What are the requirements from the created certificate in order to use it to sign an InstallShield package?
We didn't find any specifications in the user manual, InstallShield help or any other documentation or knowledge base.
There are many certificate types, certificate features and encryption methods available, some features are blocked for us by our IT, so we need to know the specific requirements/features that are needed to be able to sign our package.
And here are all the details:
Our project is an InstallScript MSI, in a Binary format.
The interface type is in the Traditional Style (Released as a Setup.exe file).
We have created self-signed certificates in the Windows 10 Certificate store.
These are backed by our internal Certificate Authority.
When trying to sign the package we couldn't use any of our certificates in the Personal Certificates folder.
Only after exporting the certificate and importing back to the "Trusted Root Certification Authorities" folder, we could manage to sign the files inside the package. (it also took time to get this to work"
When trying to sign the package file by changing the "Sign Output Files" property.
No matter what option is selected and which certificate is used, we get the same error:
ISDEV : error -6259: Internal build error
And some of the times we get these errors too:
ISDEV : error -6258: An error occurred extracting digital signature information from file "****\standard\singleEXE\DiskImages\DISK1\Installation Package.msi". Make sure the digital signature information provided in the IDE is correct.
ISDEV : error -6003: An error occurred streaming '****\standard\singleEXE\DiskImages\DISK1\Installation Package.isc' into setup.exe
The password is correct, the pfx file exists and it contains the private-key, and in case of a certificate from a store, we tried every available folder, and also tried the current user and the local computer certificates.
We also tried creating general-purpose self-signed certificates using OpenSSL, these didn't work either.
Thanks,
Shahar
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @Shahar100 ,
Answering to your question:
- There is not much as such requirements than as mentioned in the link:https://docs.flexera.com/isxhelp22/helplibrary/DigitalSigningSecurity.htm(Hope you would have already gone through)
- Can you give a try with signtool which you would see under Windows Kits as well:Using command line options for pfx file to narrow down the issue?More details:https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe
- If you want to test store specific certificate,give it a try with powershell cmdlet to figure out the issue is with Installshield or with certificate itself?More details can be found:https://sid-500.com/2017/10/26/how-to-digitally-sign-powershell-scripts/
Thanks,
Jenifer
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I'm having the same problem with error 6259.
I tested with signtool and all is well. I can also see that the files included in the installer are being signed. The file certificates.msi gets created and signed and then I get the error:
Media table successfully built
Started signing certificate.msi ...
ISDEV : error -6259: Internal build error
ISDEV : fatal error -5087: Stop at first error
OCT System Software\Release - 2 error(s), 3 warning(s)
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I found my problem. I needed to add my CA to the root store since this was a self signed certificate.