cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Signing with a RFC 3161 Timestamp Server

Signing with a RFC 3161 Timestamp Server

Summary

Discussion on specifying a RFC 3161 URL and workaround when digitally signing with InstallShield.

Symptoms

When using Signtool, the /tr command line parameter allowed users to specify the URL of the RFC 3161 time stamp server. There is no direct method or workaround in InstallShield 2015 to specify the URL of a RFC 3161 time stamp server.

Cause

In older versions of InstallShield, the following entry ?<DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/> in the settings.xml could be modified to <DigitalSignature Timestamp="http://timestamp.geotrust.com/tsa"/> to utilize this feature. Due to the changes in signing in InstallShield 2015, this workaround prevents the installation from being signed correctly.

Steps To Reproduce

  1. Create a new Basic MSI project
  2. Go to Media -> Release
  3. Create a new Product Configuration
  4. Create a new Release
  5. Select signing tab, specify a valid certificate
  6. Build and run setup, setup is signed with timestamp correctly
  7. Close InstallShield
  8. Open an Administrative Notepad.exe
  9. File -> Open? to InstallShield\2015\Support\0409 and specify Settings.xml
  10. Change the line of <DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/> to <DigitalSignature Timestamp="http://timestamp.geotrust.com/tsa"/> to try and workaround the issue
  11. Save the file
  12. Open InstallShield and build the project
  13. A -7346 warning occurs that it was signed with a SHA-1 certificate and the resulting file does not have a valid timestamp

Resolution

This issue was originally submitted to our Engineering team and was tracked under issue #IOJ-1732554. The issue has been resolved in InstallShield 2016, please see the InstallShield 2016 release notes in the Related Documents section below for additional information.




Workaround

At this time, it is suggested to sign manually using signtool.exe post build to specify the /tr command line.

Related Documents

Signtool.exe (Sign Tool) - MSDN Article
InstallShield 2016 Release Notes - InstallShield 2016 Release Notes
Was this article helpful? Yes No
No ratings
Version history
Revision #:
1 of 1
Last update:
‎May 31, 2018 02:11 AM
Updated by: