cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
EXM1110b
Level 3

How does InstallShield identifies certificate in a certificate store ?

hi..

i'm trying to build an ism in 2 different machines (one with InstallShield itself another with isCmdBld) each with an Extended validation token, that has the same certificate , the problem is i trying to run the ism on the IsCMdBld fails with error code 1027, i'm assuming because it cannot find the certificate, i don't know InstallShield identifies the ceritifcate , and how cam i supply it from the cli..
Labels (1)
0 Kudos
(8) Replies
esiemiat
Level 9

I realize this thread is quite old, but just curious how you even got the EV Cert to work on your workstation. We just had to switch over to an EV Cert and I can't even get it to sign things in the IDE.
0 Kudos
EXM1110b
Level 3

have you tried signing things in command line first? because getting a key, actually activating it is a quite predure, you need to "log in" in to your key using their software otherwise it won't work.

then grab any old exe you have around and use the signtool (comes with windows sdk)

something like this
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a "your exe file"

if you can't sign an exe file this way don't even bother using installshield till you sort that out. you should be eligible for support from your ev vendor
0 Kudos
esiemiat
Level 9

Sorry I should I mentioned that. Yes, we can sign files using SignTool.exe it's just InstallShield that gives us a problem. We get:

ISDEV : error -1027: Failed signing ISSetup.dll
ISDEV : error -1027: Failed signing Data1.cab
ISDEV : error -6258: An error occurred extracting digital signature information from file "\Data1.cab>". Make sure the digital signature information provided in the IDE is correct.
ISDEV : fatal error -6260: Internal build error

Also, were you ever able to fix the issue you had on the build machine.
0 Kudos
EXM1110b
Level 3

well if i recall correctly that means it cannot find the the certificate, don't forget you're no longer using a pfx file ,so i'm assuming you selected the certificate from your certificate store .
the questions is did you select the right one..

here's the thing, behind the scenes installShield stores the certificate's thumbprint which is a unique identifier for it, assuming you're using an xml format for the ism, you should be to find it (you should also be able to see it as text in the IDE in the format of something like *My*User:|

after | you should see a long string follow by a ?sha256 (

that's the thumbprint, singtool also allows you to specify that as well, so make sure you can to sign with signtool using that thumbprint

esiemiat wrote:
Sorry I should I mentioned that. Yes, we can sign files using SignTool.exe it's just InstallShield that gives us a problem. We get:

ISDEV : error -1027: Failed signing ISSetup.dll
ISDEV : error -1027: Failed signing Data1.cab

Also, were you ever able to fix the issue you had on the build machine.
0 Kudos
esiemiat
Level 9

I think I may have figured out what my issue is. I discovered that I cannot sign anything with the certificate if I use the 32-bit version of SignTool, but it works if I use the 64-bit version. Maybe InstallShield would work if I can get the cert to work with the 32-bit SignTool?

I wonder if this has anything to do with the Luna client we use for the EV cert.
0 Kudos
MarkEarle
Level 6

Have either of you gotten this working?

We moved to AWS CloudHSM and I cannot get this working. As esiemiat has stated, the 32-bit signtool does not work as it cannot find a match between the private and public keys. I can sign using the 64-bit signtool so I am thinking that I will need to do a custom event that will sign the files as they are being streamed into the package then use the Precompression event for signing a MSI and the Postbuild event to sign any single .exe produced.

The last two events are easy but the streaming one has eluded me :confused:. Any ideas either of you may have would be welcomed.

Cheers,

ME
0 Kudos
esiemiat
Level 9

I was able to get this working once I realized that there was a 64-bit and a 32-bit component to the SafeNet client. I had to run the CSP and KSP registration commands for the 32-bit components before InstallShield could use the certificate.
MarkEarle
Level 6

Thanks,

Unfortunately we are using the AWS CloudHSM KSP and CNG providers and they are only 64-bit. Some more digging for me... Looking at upgrading to IS2018 to see if Flexera sorted the 64-bit issue.

Thanks again.

Cheers,

ME
0 Kudos