This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Signing - password pasted into Firefox!
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Apr 16, 2013
04:58 AM
Signing - password pasted into Firefox!
During a release build just now I opened Firefox and just as I started to type a search query the password for signing modules appeared in the search box! It seems it would be very easy for some malware to trap the password.
(4) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Apr 16, 2013
08:22 AM
Are you using .spc and .pvk files to sign your installations? If so, you may want to switch to a .pfx file. For more information, see Digital Signing and Security.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Apr 16, 2013
08:37 AM
'Digital Signing and Security' help topic does not say that using .spc and .pvk is not permitted. As it is a valid option it needs to be secure.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Apr 16, 2013
09:03 AM
As described in the article, using a .pfx file is preferred over the other file types. Microsoft SignTool.exe (the tool that InstallShield uses when you specify a .pfx file for your release) accepts a command-line parameter for the password, so you would not run into the behavior that you encountered if you switched to this for signing.
Microsoft Signcode.exe, which is called if you specify .spc and .pvk files to sign, does not accept command-line parameters for the password. So, the build has to pass the password to Signcode.exe when prompted for it, as you encountered.
Microsoft Signcode.exe, which is called if you specify .spc and .pvk files to sign, does not accept command-line parameters for the password. So, the build has to pass the password to Signcode.exe when prompted for it, as you encountered.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Apr 17, 2013
05:11 AM
DebbieL wrote:
So, the build has to pass the password to Signcode.exe when prompted for it, as you encountered.
No, what I encountered was InstallShield passing the password to Firefox.