Signing with a RFC 3161 Timestamp Server

Yes

Summary

Discussion on specifying a RFC 3161 URL and workaround when digitally signing with InstallShield.

Symptoms

When using Signtool, the /tr command line parameter allowed users to specify the URL of the RFC 3161 time stamp server. There is no direct method or workaround in InstallShield 2015 to specify the URL of a RFC 3161 time stamp server.

Cause

In older versions of InstallShield, the following entry ?<DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/> in the settings.xml could be modified to <DigitalSignature Timestamp="http://timestamp.geotrust.com/tsa"/> to utilize this feature. Due to the changes in signing in InstallShield 2015, this workaround prevents the installation from being signed correctly.

Steps To Reproduce

Create a new Basic MSI project
Go to Media -> Release
Create a new Product Configuration
Create a new Release
Select signing tab, specify a valid certificate
Build and run setup, setup is signed with timestamp correctly
Close InstallShield
Open an Administrative Notepad.exe
File -> Open? to InstallShield\2015\Support\0409 and specify Settings.xml
Change the line of <DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/> to <DigitalSignature Timestamp="http://timestamp.geotrust.com/tsa"/> to try and workaround the issue
Save the file
Open InstallShield and build the project
A -7346 warning occurs that it was signed with a SHA-1 certificate and the resulting file does not have a valid timestamp

Resolution

This issue was originally submitted to our Engineering team and was tracked under issue #IOJ-1732554. The issue has been resolved in InstallShield 2016, please see the InstallShield 2016 release notes in the Related Documents section below for additional information.

Workaround

At this time, it is suggested to sign manually using signtool.exe post build to specify the /tr command line.

Signing with a RFC 3161 Timestamp Server