harryclipper
Flexera beginner

Timestamp error 1027

Hello,

today I noticed that I get the above error 1027 while building my installprogramm.

I work with the old installshield express 2012.

I think 6 month before I got a similar error which someone from the community could solve by changing the timestamp Server in Settings.xml.

I tried severall Servers, but still get this error.

The signing process works fine, then a line later the timestamp error is thrown.

Unfortunately I have a very old Programm which I must support which is installed on a Windows XP Computer. And I cant change this.

By the way, this error occurs on all my Installshield-Projects.

So, the new Installshield Versions do not run on XP, and I cant Change. (Deadlock)

I have the log-file append to this message.

Can someone help me?

thnx Harald

Labels (1)
0 Kudos
18 Replies
shunt
Revenera Moderator Revenera Moderator
Revenera Moderator

The versign, symantec timestamp servers that were used previously are no longer valid and therefore you may need to review the settings.xml to change to a current one.

The following article dicusses what settings to use for the digicert tinestamp server:
https://community.flexera.com/t5/InstallShield-Knowledge-Base/Digital-Signing-Patch-for-InstallShiel...

There is an additional issue that if you try to sign with SHA-256 using the new digicert server then the counter signatures are actually signed with SHA-1 due to incorrect API's which Installshield calls.
This issue has been fixed in later versions, and versions dating back to 2015 SP2, but unfortunatly this does not include 2012 Express which you are using.

0 Kudos

@shunt

Thank you for your data.

It does not work for my old 2012.

But I found an article in the community wich statet that you can just
leave the timestampserver tag empty.

I did this and i got no errors thrown anymore.

What it means to have no timestamp in my install.exe is not visible (?)
to me, but the installprocess runs on a win10 machine without any
messages or errors.

harald
0 Kudos
shunt
Revenera Moderator Revenera Moderator
Revenera Moderator

A Timestamp marks a digital signature with a date and time and as reasurance for the users that the contents are honest. The installer uses the timestamp to identify if any changes have been made in the package and if it has it should not be trusted.

There is a good article on what Timestamping is available here:

https://www.globalsign.com/en/blog/what-is-timestamping-how-does-it-work

0 Kudos

@shunt

Thank you for the article.

Is there any other timestampserver i can use since the digicert is not
working with my old IS 2012?

I tried some, but error....

IS hotline did not say a word to help me (I phoned with them). They
refused to relay my call to the technicline even after I offered to pay
for it.

Its a no go for me to act like this, even if my clients have an older
version of my programms, I help them and learn something new out of that
cycle.

But its like it is!

So still I have no timestamp in my installpackage.

If someone knows a solution please tell me.

In the meanwhile I will look for a replacement for IS.

thnx

Harald
0 Kudos
shunt
Revenera Moderator Revenera Moderator
Revenera Moderator

Unfortunatley Installshield 2012 was End-Of-Lifed around 6 years ago and as such we are no longer developing fixes for it. 

The latest version of Installshield (2020) includes the fix for the SHA problem and will therefore allow you to use the digicert timestamp. If you have a valid support contact then you can upgrade to the latest version at no additional cost.

Timestamp servers are not provided by Revenera, they are provided by 3rd Parties and therefore you can research and use whichever one you are comfortable with.

0 Kudos

You can use signtool.exe to sign your msi package manually. I use this procedure to sign my msi packages which I have build in older InstallShield version:

Example:

signtool sign /a /t http://timestamp.digicert.com /fd sha256 "E:\Develop\InstallShieldProjects\IS2012SP\Projects\XYZ-Product\Product Configuration 1\Release 42.3000\DiskImages\Disk1\XYZ-Product.msi"

signtool.exe is part of the Windows SDK which you can download at the Microsoft.

Just looked at your log file. You build your msi package with setup.exe bootstrapper and as single image. So my suggestion does not work for you. You can only sign the setup.exe but not the msi file inside. May be think about to not compress everything in setup.exe.

regards

Markus

 

 

0 Kudos
ssglogic
Active participant

As on March 12th 2021 (India Time) - Digicert Timestamp is NOT working -

Then I tried pinging - I got the following -

 

Pinging timestamp.digicert.com [216.168.244.9] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 216.168.244.9:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Is it really down - if so, what is the alternative  all of you using ?

0 Kudos
shunt
Revenera Moderator Revenera Moderator
Revenera Moderator

The digicert knowledge base says that the Timestamping Server will not respond to any network probes (such as ping or a tracert):

https://knowledge.digicert.com/solution/SO912.html

0 Kudos
ssglogic
Active participant

I understand - but if the timestamp address of Digicert says - Timestamping failed - what to do ?
0 Kudos

@MarkusLatz

Thank you for the data.

My IS produces an EXE-File.

What must I change to get just an msi which I can timestamp with signtool?

And after timestamping what must I do to get an EXE-File?

Or can I timpestamp my EXE-File which I get from IS?

Sorry, I am not really familiar with this.

Thnx

Harald
0 Kudos

@harryclipper 

Your problem is not clearly told here.

You need finally an exe and that should be signed - understood.

Then - why do you need to sign msi and exe separately ?

And what was the problem in timestamp - please clarify.

From which company do you have a Codesigning Certificate ? Did you create the pvk and pfc file from the pfx file ?

On left hand menu - while IS is open - you will get "Release" - then click on "Single exe .." - on right hand click on Tab "Signing" where you will have to put the timestamp an code signing pvk and pfc file location and the password to sign.

 

Hope this helps

0 Kudos

@ssglogic

To clearify my problem:

I use an Computer Win XP and IS 2012 to service an very old VB6 software
on it and old classes installed which I can not buy again to install it
on a new computer I tried it. So this must stay on this computer.

I used the IS to produce the setup.exe for my software.

Some days ago the IS throws an error 1027 Timestamp failed.

The signing was OK but not the timestamp.

I changed in settings.xml the timestampserver serveral times to serveral
servers but still got this error.

Then I emptied the "timestamp"-line in settings.xml to get the setup.exe
produced and signed, but without timestamp.

I have a sectigo cert (pfx).

"Did you create the pvk and pfc file from the pfx file ?" NO, I just use
the pfx. which worked great until the error started.

"Then - why do you need to sign msi and exe separately ?" this is an
misunderstood: I just need the exe signed and timestamped.

Someone from this forum suggested that I can sign the msi with
signtool.exe. I did not understand this because Im not very familiar
with this signing and timestamping.

I just want a functioning IS with does sign and timestamp my setup.exe.

Hope this clarifies my problem.

By the way, IS hotline was not helpfull, even when I offered them to pay
separately for the service. No chance to get an technician to the phone,
so I gave up to get help from IS.

When you have a solution for the 1027 Timestamp error, I would be happy.

thnx

Harald
0 Kudos

@harryclipper ,

Are you from Germany ? I just ask to known in which time zone you are located.

regards

Markus

0 Kudos

@MarkuLatz

Ja, ich bin von Deutschland.

Yes I'm from germany.

Your name also sounds german.

isnt it?

harald
0 Kudos

Good Morning Harald,

I send you a private message ...

regards

Markus

0 Kudos

@harryclipper 

I understood and realized your problem very well. I am suffering from the same problem after buying certificate from Sectigo.

Probably - many others are also suffering.

The reason that I discovered and realized after 2 months of efforts, is that - your system and software are old and you are contacting servers for timestamp - where the software are new and does not work with old.

You should be satisfied with "Signed but not Time stamped" because you have to maintain the old system and old software.

I Recommend to immediately plan with your customers to upgrade all old software (we can help you in migrating VB software to VB.Net) - this will bring new revenue to your company.

 

And, when you have money - you need to buy latest IS 2020 pro or later - but, before that some training on the latest IS is required.

You can download a trial and check with your old .ism file (which will be automatically upgraded, and you need to put some data by comparing with old ism)  - the timestamping and signing - both will work.

IS will not support for your old version, even if you pay - no one in IS is working on those old versions.

0 Kudos
MarkusLatz
Frequent contributor

@harryclipper  and I have solved the problem by using signtool.exe after the build.

@harryclipper  you can mark this post as "solved".

regards

Markus

0 Kudos

Hello,

I want to thank @MarkusLatz who helped me a lot.

He solved the problem with the use of signtool.exe.

I use IS to build the installpackage. Then I use (on my new computer)
signtool.exe to sign and timestamp.

So, it is not that digicert does not timestamp anymore, or whatever I
read in the last weeks.

It seems that IS "canceld" the timestamp-function for the older versions
like mine (2012).

I can sign with SHA1 and also with SHA256 with my certificate I use for
signing. And this is the same as I use when IS runs.

So, again @MarkusLatz solved my problem.

many thanx.

Harald
0 Kudos