have you tried signing things in command line first? because getting a key, actually activating it is a quite predure, you need to "log in" in to your key using their software otherwise it won't work.

then grab any old exe you have around and use the signtool (comes with windows sdk)

something like this
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a "your exe file"

if you can't sign an exe file this way don't even bother using installshield till you sort that out. you should be eligible for support from your ev vendor

Sorry I should I mentioned that. Yes, we can sign files using SignTool.exe it's just InstallShield that gives us a problem. We get:

ISDEV : error -1027: Failed signing ISSetup.dll
ISDEV : error -1027: Failed signing Data1.cab
ISDEV : error -6258: An error occurred extracting digital signature information from file "\Data1.cab>". Make sure the digital signature information provided in the IDE is correct.
ISDEV : fatal error -6260: Internal build error

Also, were you ever able to fix the issue you had on the build machine.

well if i recall correctly that means it cannot find the the certificate, don't forget you're no longer using a pfx file ,so i'm assuming you selected the certificate from your certificate store .
the questions is did you select the right one..

here's the thing, behind the scenes installShield stores the certificate's thumbprint which is a unique identifier for it, assuming you're using an xml format for the ism, you should be to find it (you should also be able to see it as text in the IDE in the format of something like *My*User:|

after | you should see a long string follow by a ?sha256 (

that's the thumbprint, singtool also allows you to specify that as well, so make sure you can to sign with signtool using that thumbprint

esiemiat wrote:
Sorry I should I mentioned that. Yes, we can sign files using SignTool.exe it's just InstallShield that gives us a problem. We get:

ISDEV : error -1027: Failed signing ISSetup.dll
ISDEV : error -1027: Failed signing Data1.cab

Also, were you ever able to fix the issue you had on the build machine.

I think I may have figured out what my issue is. I discovered that I cannot sign anything with the certificate if I use the 32-bit version of SignTool, but it works if I use the 64-bit version. Maybe InstallShield would work if I can get the cert to work with the 32-bit SignTool?

I wonder if this has anything to do with the Luna client we use for the EV cert.

Have either of you gotten this working?

We moved to AWS CloudHSM and I cannot get this working. As esiemiat has stated, the 32-bit signtool does not work as it cannot find a match between the private and public keys. I can sign using the 64-bit signtool so I am thinking that I will need to do a custom event that will sign the files as they are being streamed into the package then use the Precompression event for signing a MSI and the Postbuild event to sign any single .exe produced.

The last two events are easy but the streaming one has eluded me :confused:. Any ideas either of you may have would be welcomed.

Cheers,

ME

I was able to get this working once I realized that there was a 64-bit and a 32-bit component to the SafeNet client. I had to run the CSP and KSP registration commands for the 32-bit components before InstallShield could use the certificate.

Thanks,

Unfortunately we are using the AWS CloudHSM KSP and CNG providers and they are only 64-bit. Some more digging for me... Looking at upgrading to IS2018 to see if Flexera sorted the 64-bit issue.

Thanks again.

Cheers,

ME