DaveSimmons
Occasional contributor

2019R3 - MSI - error -1027 signing SWIDTAG (signing OK with tag disabled)

We just replaced our old Thawte 2048-bit code signing certificate with a new DigiCert 3072-bit one.

InstallScript EXE builds are happy to use the new cert, but MSI builds fail unless I turn off including the Software ID tag:

Started signing regid.2000-08.com.respondus_536602BC-5D44-4599-83AB-0A9F25F3C55C.swidtag ...
Keyset does not exist
ISDEV : error -1027: Failed signing regid.2000-08.com.respondus_536602BC-5D44-4599-83AB-0A9F25F3C55C.swidtag

When I set Include Software ID Tag to NO it builds without warnings or errors.

Does IS 2020 fix this, or do SWIDTAG files not support SHA-256 signatures?

Labels (1)
0 Kudos
2 Replies
varul
Revenera
Revenera

Did you install hotfix patch for IS2019R2 to fix digital signature issue. 

https://community.flexera.com/t5/InstallShield-Knowledge-Base/Digital-Signing-Patch-for-InstallShiel...

We dont have any issue with respect with digital signature  , so please check the certificate details entered are correct and make sure the pfx file used to sign is not expired.

DaveSimmons
Occasional contributor

Thanks for the response.  I worked with a helpful person in support who sent me a working self-signed certificate to compare with ours.  It turns out that the code in 2019 R3 that signs the SWIDTAG had a problem with our cert which was a P7B to PFX conversion, but worked when I used OpenSSL and did a direct CER + KEY to PFX conversion.

It's weird that the first version of the PFX works with SignTool, OpenSSL, our Java signing code on AWS, and with IS 2019 R3's signing of EXE and MSI, just not SWIDTAG.  But the new version of the PFX works with that too so all is fine now.

0 Kudos