cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ishelpqs
Level 3

InstallShield Digital Signing Tab/Options do not support new industry standard requirements for code signing certs

Jump to solution

The options to digitally sign within InstallShield discussed here https://docs.revenera.com/installshield22helplib/helplibrary/IHelpReleaseDigitalSignature.htm do not seem to support new industry requirements for code signing certificates discussed here https://knowledge.digicert.com/generalinformation/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022.html

Option #1 (.pfx approach with password) will absolutely not work, this is the approach that is being deprecated by the industry.

Option #2 I have tried to setup a proof-of-concept with a new HSM certificate from digicertONE but this does not seem to work.

The uninstall .msi that is generated during installshield process is unable to be signed without these options or precompression events.

How are teams supposed to sign via InstallShield without having to use some workaround like precompression events?

Labels (1)
(1) Solution

I signed it with a brand new cert from Digicert(the one with private keys on HSM) using option 2. InstallShield reported the build as successful and then when I inspected the signed binaries, I can see that its signed with the right fingerprint of the new cert.

I used the digicert tool called smksp_cert_sync.exe to   sync the new certs into the local store.

When you say "Option 2 does not handle this case" with the new certs what sort of errors are you getting?

 

View solution in original post

(25) Replies
DevOpsqsri
Level 3

Can we please have an update on how we can adopt to the  new industry requirements for code signing certificates using InstallShield?

0 Kudos

So having tested this further on windows. There are two options in installshield, option1  was to use the pfx  file and option2 was to use the local certificate store. Provided you have imported your digicert certificate into your local "Manage user certificate", select  option2 and the code signing certficate should appear in the list. Save the ism file and build as normal. The signing seems to work. Verified that all the binares are signed as expected.

0 Kudos

Are you using a certificate that meets the new private key requirements for code signing certs? Which means, are you using a cert where the private keys and certificates must be stored and installed on tokens or HSMs?

Option 2 works just fine with an old cert (that won't work anymore once it expires) I generated a new cert where the private keys are stored in HSM provided by digicert. Option 2 does not seem to handle this case.

0 Kudos

I signed it with a brand new cert from Digicert(the one with private keys on HSM) using option 2. InstallShield reported the build as successful and then when I inspected the signed binaries, I can see that its signed with the right fingerprint of the new cert.

I used the digicert tool called smksp_cert_sync.exe to   sync the new certs into the local store.

When you say "Option 2 does not handle this case" with the new certs what sort of errors are you getting?

 

It seems my initial sync early on didn't work, I synced again and this now works, thank you so much!

0 Kudos

To be honest, what you are saying about using digicert tools etc to sync a certificate is really unclear to me. I have the certificate on a usb smart token and was told there is no way to sign code anymore without the safenet client and the token because you cannot export it to pfx.

So in the end I decided to sign the files without using Installshield.
I run a batchfile that signs all dll and exe files in the source folder using signtool.
Then I create the setup using Installshield.
At last I sign the setup.exe again using signtool.

This works, but it's a lot more work then before with the pfx in Installshield.

0 Kudos

But as I understand it this leaves the MSI file that InstallShield creates when compiling the installer unsigned.  I think some people have said this causes Windows to stop at the point Setup.exe decompresses it and tries to run it.  Am I missing something?

 

0 Kudos

We haven't noticed that, and neither did our customers.
In the beginning Defender did block the setup in some cases, probably due to the new cert, but when you clicked more info in order to proceed it showed our company name etc and you could continue without any further warnings.

varul
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @jeroenvels

 If you dont want to save directly in ism file, you can pass the bat file which will be used to sign installer while build the project. Refer screenshot.

My version of InstallShield 2021 does not show Precompression Events in events.  Did they introduce this in 2022 only?  (or worse - does this require the premier version? )  I have the professional version

0 Kudos

We are using 2021 R2 Premier and it has the events. 

0 Kudos

Events have been around for years, however they are only available in the Premier edition and not Professional.

0 Kudos

We're using Azure HSM which signs via AzureSignTool.  That requires API credentials to talk to Azure's key vault.  Is there a way to pass build-time only properties to the BAT?  Setting properties on the install itself isn't allowed because they would be stored in the MSI and exposed.  Hard-coding the crediatials in the BAT would also expose them.  How can we pass build-time only properties to the build?

0 Kudos

@varul I see competitors have a native configuration UI for using cloud HSMs.  It would be great to have assurance that InstallShield will get that feature soon. 

I stayed back on 2021 because I'm a very small business and IS was just getting too expensive to maintain for me.  Now to learn that I not only have to restart my subscription (I think they make you purchase all over again once you lapse) AND upgrade to Premier to access the Precompression Events just takes IS off the table for me.  It would be rude to mention the competitor by name, but, yes - for a lot (I mean A LOT) less money I can get what I need.  That's sad as I've amassed a great deal of esoteric comfort with IS with a large body of work.  But, with IS Premier at the cost of 1/3rd of a new car (Premier sub is $7,423 as of 9/22/23) it's kind of a no-brainer.  My CFO would slay me for authorizing that kind of expense right now.  It's been a tough year...

0 Kudos

Thanks - this is helpful.  I am still using InstallShield 2021 - is this version going to be compatible with the new signing methods using a local USB key instead of a pfx file?

0 Kudos

Yes, because the SafeNet Authentication Client (SAC) installs the certificate in the Local User Certificate Store. See my comment below from ‎Sep 22, 2023 03:18 AM.

jeroenvels
Level 3

+1 for wanting to know on how to deal with the new requirements.
The way it used to work was very easy and straightforward.

0 Kudos

Did you ever find a solution to this or get any answers? 

0 Kudos

No, in the end I figured out a work around for myself (see reply in this topic) and that works for now. Still haven't been able to find anything else that works.

0 Kudos