This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Extended validation code signing
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 17, 2014
07:17 AM
Extended validation code signing
Hi,
I currently use InstallShield 2012 Spring Express to create a SingleImage install consisting of an msi and a setup.exe. Currently I'm using the "Signing" tab to sign both the msi and the exe.
I'm about to upgrade to an EV code signing certificate and I'm trying to get idea of any problems I'm likely to encounter when signing the install package with the new certificate. This post:
http://community.flexerasoftware.com/showthread.php?204679-Signing-with-Extended-Validation-Authenticode-Certificate-Security-Token
mentions that automatic signing can't be used, and that manual signing of the exe works, but that doesn't solve the problem of signing the msi.
The same post mentions that it might be possible to create an msi project, manually sign that, and then create a setup.exe from from the msi project and manualy sign the exe. If this was possible, that would be ok for me since I don't build installs very often. However the post doesn't go into any details of how to create the setup.exe from the msi. Can anyone tell me if this is possible, and if so, how to go about it?
Thanks for any advice,
Robert
I currently use InstallShield 2012 Spring Express to create a SingleImage install consisting of an msi and a setup.exe. Currently I'm using the "Signing" tab to sign both the msi and the exe.
I'm about to upgrade to an EV code signing certificate and I'm trying to get idea of any problems I'm likely to encounter when signing the install package with the new certificate. This post:
http://community.flexerasoftware.com/showthread.php?204679-Signing-with-Extended-Validation-Authenticode-Certificate-Security-Token
mentions that automatic signing can't be used, and that manual signing of the exe works, but that doesn't solve the problem of signing the msi.
The same post mentions that it might be possible to create an msi project, manually sign that, and then create a setup.exe from from the msi project and manualy sign the exe. If this was possible, that would be ok for me since I don't build installs very often. However the post doesn't go into any details of how to create the setup.exe from the msi. Can anyone tell me if this is possible, and if so, how to go about it?
Thanks for any advice,
Robert
(5) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 10, 2016
09:09 AM
Robert Fairlie wrote:
Hi,
I currently use InstallShield 2012 Spring Express to create a SingleImage install consisting of an msi and a setup.exe. Currently I'm using the "Signing" tab to sign both the msi and the exe.
I'm about to upgrade to an EV code signing certificate and I'm trying to get idea of any problems I'm likely to encounter when signing the install package with the new certificate. This post:
http://community.flexerasoftware.com/showthread.php?204679-Signing-with-Extended-Validation-Authenticode-Certificate-Security-Token
mentions that automatic signing can't be used, and that manual signing of the exe works, but that doesn't solve the problem of signing the msi.
The same post mentions that it might be possible to create an msi project, manually sign that, and then create a setup.exe from from the msi project and manualy sign the exe. If this was possible, that would be ok for me since I don't build installs very often. However the post doesn't go into any details of how to create the setup.exe from the msi. Can anyone tell me if this is possible, and if so, how to go about it?
Thanks for any advice,
Robert
Hi Robert,
The solution is relatively simple. InstallShield ships with a version of signtool.exe that it calls to sign the MSI file (and anything else). Rename that as (e.g.) isSignTool.exe and replace it with one that alters the parameters it is called with, then calls the renamed version (see example C# code below):
static int Main(string[] args)
{
try
{
int argc = 0;
string newargs = string.Empty;
bool skipnext = false;
bool addedSHA1 = false;
foreach (string arg in args)
{
// Skip file (.pfx), URL and password arguments, as we are going to inject our SHA1 argument instead
// Note we only do this if the parameters come in the right order (/f ... /p ...) and the file name contains
if (arg == "/f")
{
if (args[argc + 1].Contains("
{
skipnext = true;
if (!addedSHA1)
{
newargs += " /s my /sha1
addedSHA1 = true;
}
}
}
else if (addedSHA1 && (arg == "/p"))
{
skipnext = true;
}
else if (addedSHA1 && (arg == "/du"))
{
skipnext = true;
}
else if (!skipnext)
{
// Copy argument to newargs
if (arg.Contains(' '))
{
newargs += " \"" + arg + "\"";
}
else
{
newargs += " " + arg;
}
}
else
{
// We have skipped either the file or the password! Next argument may be ok to copy
skipnext = false;
}
argc++;
}
// Now start the real signtool.exe, which we have renamed and replaced!
string location = Assembly.GetEntryAssembly().Location;
location = location.Substring(0, location.LastIndexOf('\\'));
Process p = Process.Start(location + @"\isSignTool.exe", newargs);
p.WaitForExit();
return p.ExitCode;
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
return -1;
}
}
Imhotep.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 19, 2016
05:34 AM
Thanks for that. Unfortunately I've now upgraded to InstallShield Express 2015, and they appear to have stopped shipping(/using?) signtool.exe. In the 2015 release notes it says "SignTool.exe and Signcode.exe are no longer installed on your machine when you install InstallShield. If you want to digitally sign your files manually, consider using SignTool.exe, which is installed with Visual Studio and included in the Microsoft Windows Software Development Kit (SDK)." However, they don't suggest how to manually sign the msi before it get packaged into the setup exe, either for EV or non-EV signing.
What I've done in the meantime is buy a Comodo non-EV certificate and use that to sign the msi from within InstallShield, and use EV signing on setup.exe. That seems to be working OK, but I'd still like to hear of any proper solutions, it would be nice not to have to buy two certificates.
Robert
What I've done in the meantime is buy a Comodo non-EV certificate and use that to sign the msi from within InstallShield, and use EV signing on setup.exe. That seems to be working OK, but I'd still like to hear of any proper solutions, it would be nice not to have to buy two certificates.
Robert
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 19, 2016
05:36 AM
Thanks for that. Unfortunately I've now upgraded to InstallShield Express 2015, and they appear to have stopped shipping signtool.exe separately. In the 2015 release notes it says "SignTool.exe and Signcode.exe are no longer installed on your machine when you install InstallShield. If you want to digitally sign your files manually, consider using SignTool.exe, which is installed with Visual Studio and included in the Microsoft Windows Software Development Kit (SDK)." However, they don't suggest how to manually sign the msi before it get packaged into the setup exe, either for EV or non-EV signing.
What I've done in the meantime is buy a Comodo non-EV certificate and use that to sign the msi from within InstallShield, and use EV signing on setup.exe. That seems to be working OK, but I'd still like to hear of any proper solutions, it would be nice not to have to buy two certificates.
Robert
What I've done in the meantime is buy a Comodo non-EV certificate and use that to sign the msi from within InstallShield, and use EV signing on setup.exe. That seems to be working OK, but I'd still like to hear of any proper solutions, it would be nice not to have to buy two certificates.
Robert
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎May 09, 2016
06:55 AM
I don't have 2012, so thanks for the heads up for when we finally upgrade, Robert! We were looking at having to buy 2 certificates too, until I worked out the solution above. Good luck, and if you find a solution, please post it back here 🙂 I hope my solution helps others though.
Imhotep
Imhotep
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Aug 23, 2017
08:33 PM
Thanks Didge.
Just ordered a long sleeve T and the code is still working. Id never heard of linebreak before, but with that discount it was too good to go past. Looking forward to getting them.
Cheers
Just ordered a long sleeve T and the code is still working. Id never heard of linebreak before, but with that discount it was too good to go past. Looking forward to getting them.
Cheers