Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 2

signtool fails with "ISDEV : fatal error -1027: Failed signing 4005.tmp"


I am trying to have InstallShield 2015 (stand-alone) sign my setup.exe and the Installer** in the build. The build is running on Windows 2008 R2 SP1.
I have researched most of the suggestions from
Is it because of ?

- This build worked a year ago on the same machine. However, it was using signcode (not signtool) and .pvk, .spc files. I replaced the expired certificate with a valid new .pfx file.
It fails with
"Started signing 4005.tmp ...
ISDEV : fatal error -1027: Failed signing 4005.tmp"

More details:
File size for "F:\win32\install\win32\template\setup.exe": 3824603
File size for "F:\win32\install\win32\template\Setup.ini": 5224

- No signtool.exe came in I/S Stand-Alone. Tried copying signtool.exe (V6.2.9200...) from MS .Net 2008 to \InstallShield\\Support and ... \System with no success.

We have also tried - running signtool.exe out of D:\SDK\8.0/bin/x86 in the build.

- From the command line on the build machine running signtool.exe works only, when signtool.exe is run from the MS SDK directory:

HOWEVER, signtool.exe on the command line does NOT WORK when run from other directories even with it in the path. Not sure if this is the root cause

When signing outside of InstallShield in the build - signtool works, There are over 90 calls to signtool visible in the build logs before the failure
For example
G:\win32\src\libraries\cppunit>D:\SDK\8.0/bin/x64/signtool.exe sign /f G:\win32\include\win32\mypfx.pfx /p xxxxxx /t /v cppunit_dll.dll
The following certificate was selected:
Issued to: ...
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: Thu Nov 01 18:59:59 2018
SHA1 hash: E5C81C59E8BA81C9F32C0FC3F05F78924724B4EC

And it works on Windows 7 local build using same signtool.exe.

I have tried numerous path variable combinations - moving .pfx to I/S proj folder, etc . Tried putting mypfx.pfx in the I/S Support directory too.
- and hash settings etc
And tried different timestamp servers (and none), different hash options too.

** If I remove signing the setup.exe and leave only the installer I get this different error information:
Started signing certificate.msi ...
ISDEV : fatal error -1027: Failed signing package. Verify that a valid digital certificate file exists in the specified location.
Creating path "F:\win32\install\win32\template Data\LogFiles"
Product Configuration 1\Release 1 - 1 error(s), 6 warning(s)
Log file has been created:

- Is there a way to get more information /trace on the signtool in the output file to see how I/S invokes signtool?

Thank you
Labels (1)
0 Kudos
(3) Replies
Level 2

Please specify the correct private key(.pvk) when signing the Installsheild project. If you have renewed your Certificate please note that everytime you renew a Thawte Microsoft Authenticode Certificate a new private key is generated, therefore make sure you specify the new .pvk file and not the previous one. Please do a search on the C drive of the machine you used to request the Certificate for all .pvk files. By default the private key is saved as mykey.pvk to the C drive..

0 Kudos
Level 3 Survey is an online survey held by Kroger supermarket store to hear their customer’s reviews and responses about their products and services. With the help of this Kroger Customer Satisfaction Survey, the clients can connect with them online through this review and leave honest reviews about their progress and experience of shopping at the Kroger store. 

0 Kudos
Level 2 – This Microsoft Authenticator app is a security feature that improves your account’s security. If you sign in using this application, you need to show at least two forms of proof or other evidence to prove your identity.

0 Kudos