This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: How does InstallShield identifies certificate in a certificate store ?
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jul 05, 2018
12:20 PM
How does InstallShield identifies certificate in a certificate store ?
hi..
i'm trying to build an ism in 2 different machines (one with InstallShield itself another with isCmdBld) each with an Extended validation token, that has the same certificate , the problem is i trying to run the ism on the IsCMdBld fails with error code 1027, i'm assuming because it cannot find the certificate, i don't know InstallShield identifies the ceritifcate , and how cam i supply it from the cli..
i'm trying to build an ism in 2 different machines (one with InstallShield itself another with isCmdBld) each with an Extended validation token, that has the same certificate , the problem is i trying to run the ism on the IsCMdBld fails with error code 1027, i'm assuming because it cannot find the certificate, i don't know InstallShield identifies the ceritifcate , and how cam i supply it from the cli..
(8) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 16, 2019
02:03 PM
I realize this thread is quite old, but just curious how you even got the EV Cert to work on your workstation. We just had to switch over to an EV Cert and I can't even get it to sign things in the IDE.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 16, 2019
02:16 PM
have you tried signing things in command line first? because getting a key, actually activating it is a quite predure, you need to "log in" in to your key using their software otherwise it won't work.
then grab any old exe you have around and use the signtool (comes with windows sdk)
something like this
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a "your exe file"
if you can't sign an exe file this way don't even bother using installshield till you sort that out. you should be eligible for support from your ev vendor
then grab any old exe you have around and use the signtool (comes with windows sdk)
something like this
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a "your exe file"
if you can't sign an exe file this way don't even bother using installshield till you sort that out. you should be eligible for support from your ev vendor
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 16, 2019
02:25 PM
Sorry I should I mentioned that. Yes, we can sign files using SignTool.exe it's just InstallShield that gives us a problem. We get:
ISDEV : error -1027: Failed signing ISSetup.dll
ISDEV : error -1027: Failed signing Data1.cab
ISDEV : error -6258: An error occurred extracting digital signature information from file "\Data1.cab>". Make sure the digital signature information provided in the IDE is correct.
ISDEV : fatal error -6260: Internal build error
Also, were you ever able to fix the issue you had on the build machine.
ISDEV : error -1027: Failed signing ISSetup.dll
ISDEV : error -1027: Failed signing Data1.cab
ISDEV : error -6258: An error occurred extracting digital signature information from file "
ISDEV : fatal error -6260: Internal build error
Also, were you ever able to fix the issue you had on the build machine.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 16, 2019
02:33 PM
well if i recall correctly that means it cannot find the the certificate, don't forget you're no longer using a pfx file ,so i'm assuming you selected the certificate from your certificate store .
the questions is did you select the right one..
here's the thing, behind the scenes installShield stores the certificate's thumbprint which is a unique identifier for it, assuming you're using an xml format for the ism, you should be to find it (you should also be able to see it as text in the IDE in the format of something like *My*User:|
after | you should see a long string follow by a ?sha256 (
that's the thumbprint, singtool also allows you to specify that as well, so make sure you can to sign with signtool using that thumbprint
the questions is did you select the right one..
here's the thing, behind the scenes installShield stores the certificate's thumbprint which is a unique identifier for it, assuming you're using an xml format for the ism, you should be to find it (you should also be able to see it as text in the IDE in the format of something like *My*User:|
after | you should see a long string follow by a ?sha256 (
that's the thumbprint, singtool also allows you to specify that as well, so make sure you can to sign with signtool using that thumbprint
esiemiat wrote:
Sorry I should I mentioned that. Yes, we can sign files using SignTool.exe it's just InstallShield that gives us a problem. We get:
ISDEV : error -1027: Failed signing ISSetup.dll
ISDEV : error -1027: Failed signing Data1.cab
Also, were you ever able to fix the issue you had on the build machine.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 18, 2019
10:29 AM
I think I may have figured out what my issue is. I discovered that I cannot sign anything with the certificate if I use the 32-bit version of SignTool, but it works if I use the 64-bit version. Maybe InstallShield would work if I can get the cert to work with the 32-bit SignTool?
I wonder if this has anything to do with the Luna client we use for the EV cert.
I wonder if this has anything to do with the Luna client we use for the EV cert.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Feb 21, 2019
05:31 PM
Have either of you gotten this working?
We moved to AWS CloudHSM and I cannot get this working. As esiemiat has stated, the 32-bit signtool does not work as it cannot find a match between the private and public keys. I can sign using the 64-bit signtool so I am thinking that I will need to do a custom event that will sign the files as they are being streamed into the package then use the Precompression event for signing a MSI and the Postbuild event to sign any single .exe produced.
The last two events are easy but the streaming one has eluded me :confused:. Any ideas either of you may have would be welcomed.
Cheers,
ME
We moved to AWS CloudHSM and I cannot get this working. As esiemiat has stated, the 32-bit signtool does not work as it cannot find a match between the private and public keys. I can sign using the 64-bit signtool so I am thinking that I will need to do a custom event that will sign the files as they are being streamed into the package then use the Precompression event for signing a MSI and the Postbuild event to sign any single .exe produced.
The last two events are easy but the streaming one has eluded me :confused:. Any ideas either of you may have would be welcomed.
Cheers,
ME
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Feb 22, 2019
07:17 AM
I was able to get this working once I realized that there was a 64-bit and a 32-bit component to the SafeNet client. I had to run the CSP and KSP registration commands for the 32-bit components before InstallShield could use the certificate.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Feb 27, 2019
09:09 AM
Thanks,
Unfortunately we are using the AWS CloudHSM KSP and CNG providers and they are only 64-bit. Some more digging for me... Looking at upgrading to IS2018 to see if Flexera sorted the 64-bit issue.
Thanks again.
Cheers,
ME
Unfortunately we are using the AWS CloudHSM KSP and CNG providers and they are only 64-bit. Some more digging for me... Looking at upgrading to IS2018 to see if Flexera sorted the 64-bit issue.
Thanks again.
Cheers,
ME