cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Digital Signing Patch for InstallShield 2015 SP2 and above

Digital Signing Patch for InstallShield 2015 SP2 and above

Summary

InstallShield digital signing feature uses a timestamp server from Symantec which is being decommissioned (more details here) and migrated to Digicert. Signing with new Digicert URL causes a breakage in Digital Signing

Symptoms

When signing an installer with SHA-256 digest, using the new Digicert server (http://timestamp.digicert.com), the resulting installer is signed by SHA-256 digest, but the counter signatures are signed with SHA1 due to an incorrect order in which InstallShield calls the signing APIs

Affected InstallShield Versions

InstallShield 2015 SP2

InstallShield 2016 SP2

InstallShield 2018 R2

InstallShield 2019 R2

All minor releases of the above releases included

Resolution

  1. The issue is resolved in a hotfix that can be downloaded from this link. Please note that the hotfix is applicable on the latest service packs of above affected versions.
  2. After applying the hotfix, please update Settings.xml file in <InstallShield_InstallPath>/Support/0409 with new URLs

Before:

<DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/><DigitalSignature TimestampRFC3161="http://sha256timestamp.ws.symantec.com/sha256/timestamp"/>

After:

<DigitalSignature Timestamp="http://timestamp.digicert.com"/><DigitalSignature TimestampRFC3161="http://timestamp.digicert.com"/>

Note: For Japanese, Settings.xml can be found at “<InstallShield_InstallPath>/Support/0411”

Additional Information

If there are any additional issues, please contact our  Technical Support team

Labels (1)
Was this article helpful? Yes No
100% helpful (2/2)
Comments

After applying the hotfix, IS 2018R2 stopped working, hanging on startup.

Have to reinstall it.

Tried twice.

Yes, I experienced the same problem yesterday. Splash screen and that's it when IS is launched. Logged a critical ticket in the AM ET since I have 2 products to get out the door today and Monday, but no resolution as of yet.

The only thing I've found is in iside.log, this is logged with every attempted launch after the patch:

iside.cpp 900: ActiveX component can't create object
    > ISApp.CApp.StartApp
    > ISApp.CApp.IApp_Start

Waiting on some ideas from Flexera... I do not want to have to reinstall and reconfigure IS if I can avoid it.

 

 

Yes, I have the same lines in iside.log.

That is the reason why I'm using IS on virtual machines with checkpoints before every reconfiguration.

@DeliRadivoje @richmccoyAHS 

We noticed a problem with the patch. The updated patch is now available. Please download and apply again.

Appreciate your patience on this.

@vdonga

Thank you!

I see no other link than the one in the article. Don't know if that's pointing to the updated patch or not, but I downloaded and installed it and there's no change in the behavior. IS still doesn't launch after the splash screen.

Is this the correct URL for the updated patch?

https://flexerasoftware.flexnetoperations.com/control/inst/AnonymousDownload?dkey=15179097

Hello @richmccoyAHS 

Yes. It's the same link. 

If you continue seeing the same issue, can you please run repair of InstallShield to restore the original file. I'm guessing you are using IS 2018 R2. We will investigate the issue and update here.

Thanks for your patience. 

@vdonga 

Yes, your guess is correct. I will proceed with the repair. Thank you.

Some other details (if you need them, such as hardware, OS, etc.) are in Case #01941086

@vdonga 

FYI - I did the repair to IS Pro 2018R2, and still nothing is happening after the splash screen. Same message logged into iside.log.

Hello @vdonga ,

I think that the linked file is the same as three days ago, I downloaded it half an hour ago and it has a date of the signature set on 31.10.19.

Had the same problem, patch referred to in the link above has sorted this out - downloaded 04/11/2019 9:30

(InstallShield SHA256-RFC3161 Patch.exe)

Thanks to the other members of the community for being on the ball and helping a neophyte out

Still no luck.

I've downloaded it again and it is still the same file with the date of signature on 31.10. Tried to install it but IS still hangs on startup. @i_hurst what is the date of signature of the file you've downloaded?

Hi DeleiRadivoje,

In the digital signature, the timestamp says 01 November 2019 14:02:59

Hope this helps

 

Hi,

I had the same problem with applying patch. InstallShield 2018 R2 cannot start.

I gone to InstallShield 2018 R2 Program Maintenance and click on Repair option.

Repair completed OK.

Now InstallShield ask me for Reactivation, however Reactivation failed with our product code.

 

I can confirm that in my case the problem is solved with a new version of the patch with the timestamp on 1. November 2019.

Hi   @vdonga 

4, November 2019 Installshield Software Manager ask me to setup Critical Patch

 for Digital Signing dated 31,October 2019. I believed to Flexera and I setup it.

I run Repair as you wrote but my Installshield 2018 R2 require Reactivation now.

With our original product code I cannot pass Reactivation.

There is Error 51406 - Fullfillment Recording is disabled.

Please help

 

Sorry, my typo in my previous message.  Correct message is

31, October 2019 Installshield Software Manager ask me to setup Critical Patch

for Digital Signing....

Hello All,

There was a caching issue in our update server causing the link to download older build despite refreshes. We changed to the URL to a different one which fixes the IS 2018 R2 problem.

Apologies for the confusion and appreciate your patience.

@sshtrafun We will reach out to you to resolve the reactivation issue.

Thank you

@vdonga- The latest version of this patch has solved my problem here. Thank you for your help/support.

I downloaded the latest version of this patch with digital signature from November 1, 2019.

After Repair I have Reactivation issue.

Is it correct to apply this patch regardless Reactivation issue (Internet Activation Failed)?

Our Installshield 2018 R2 is working  after applying the latest version of Digital Signing Patch.

Thanks

1)Glad to see that I'm not alone in the troubles of using this patch.
2)not glad that my support ticket on this subject from 11/1 still has no response.

In the future, can I suggest that when there is a rollout issue, have a support tech search new tickets for the patch name and direct them to a relevant thread?

 

I just tried to download from above and the file downloaded has a size of 7,070,640 bytes and a signed time of ‎Friday, ‎November ‎01, ‎2019 8:02:59 AM

Is that the updated patch?

‎I have the same file size but sign time is different. I think  sign time depend on time zone where you are.

-----------------------------------------------------------------------------------------

When I change code I also change file version. However the first and the latest (fixed) patches have the same version 1.0.0.0

 

Are there any plans to update the product installers in the "Product and License Center" to include the patch?  If so, when will they be available?

@flextex The installers in 'Product and License Center' will not be updated with the patch. Any new releases from now will include the fix

it appears that http://timestamp.digicert.com is down as of this morning.

I was building fine yesterday.  Today I am getting errors that installsheild cannot sign my files.  can anyone confirm? is there an alternate?

Nevermind, the problem was on my end.  carry on!

 

@vdonga Does this patch also work for the 2018 R2 standalone builder? After applying the patch and changing the setting URLs I now get signing errors. I applied the patch to the full product without any problems.

@chris13 I am also using the 2018 R2 SAB, it works fine for me (once I figured out the bug in my .ism file)

Good luck!

 

@aaronherrick Thanks for confirming! I just walked away to make a coffee and realised it was user error, so all is well, oops 🙂

Hi,

Does it patch applicable to IS2019 R2 standalone builds? I am not able to install this patch. Patch complains that "InstallShield 2019R2 must be installed to run this update"

regards

 

Hi,

So I am finally able to get to updating this Patch.  I saved it and tried running it. Then I just ran it. I copied the newer version of the Patch and I get the following error:

I am not ready to go fully to the 2019 version.

I appreciate your help in this matter!

 

I was able to run the patch (https://flexerasoftware.flexnetoperations.com/control/inst/AnonymousDownload?dkey=15184397) and then change the <DigitialSignature tags in the appropriate settings.xml file on the development machine where we run the full version of installshield BUT this is only what we use to create and edit existing installshield projects.  Our products on the other hand are created on dedicated build machines with installations of 2018 SAB invoked by build scripts etc.  The patch does not run on those machines as their is no installshield (full product) installed on them, just  2018 SAB. 

 

If I inspect the settings.xml on the 2018 SAB build machines they obviously still point to ->

<DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/><DigitalSignature TimestampRFC3161="http://sha256timestamp.ws.symantec.com/sha256/timestamp"/>

I assume this will cause our build to not be signed appropriately once these a truly decommissioned.  

How should I proceed?  Is there another patch just for SAB? If not, is it ok to just change the settings.xml without patching?

Hello @lduguid,

The patch installer installs on top of InstallShield 2015 SP2, InstallShield 2016 SP2, InstallShield 2018 R2 or InstallShield 2019 R2. and the corresponding SAB also. (InstallShield 2015 SP2 SAB, InstallShield 2016 SP2 SAB, InstallShield 2018 R2 SAB or InstallShield 2019 R2 SAB ).

SAB requires both patch and XML changes to sign with the new time stamp server.

In your case, can you check what version of 2018 SAB installed. Patch installer requires 2018 SAB R2 to  apply the digital signing patch. 

Yes, it is required to modify the SAB settings.xml with the new timestamp server as mentioned KB article.

Ist this patch also necessary for the newly released InstallShield 2019 R3? 

I do not find info regarding this fix in the release notes of R3. At least, I find the updated URL in the Settings.xml as described. Could you confirm, that this fix is already in R3?

Regards

Helge

@HelgeDennhardt If you are on InstallShield 2019 R3, you don't need this patch. This is included in the latest release - InstallShield 2019 R3

Version history
Last update:
‎Sep 15, 2020 02:42 PM
Updated by:
Contributors