peterk
Posts: 9
Joined: Wed Aug 03, 2022 3:23 pm

Digital certificate expired but only for command line build

Fri Aug 12, 2022 12:25 am

We use TeamCity to build our product and we have just recently tried to enable the digital signature for our application. The certificate in the "store" is one that we created and appears to work just fine when we build our project through the UI.

When we build our product using TeamCity and the AdvancedInstaller plugin, we get an error that the digital certificate has expired. This seems to be in error because
1) It builds fine in the UI
2) We just used AI to create the certificate and its expiration is August 1st 2023.


Error message:
[19:12:40] : [Step 24/25] Starting: "C:\Program Files (x86)\Caphyon\Advanced Installer 19.6\bin\x86\AdvancedInstaller.com" /execute "C:\AdvancedInstallerProject\Full.aip" C:\TeamCity\buildAgent\temp\globalTmp\aic6499808243726108508.tmp
[19:12:40] : [Step 24/25] in directory: C:\TeamCity\buildAgent\work\96d08da23e9ead6f
[19:12:40] : [Step 24/25] SetOutputLocation -buildname "DefaultBuild" -path "C:\TeamCity\buildAgent\work\96d08da23e9ead6f\Installers"
[19:12:40] : [Step 24/25] SetPackageName Software_1.6.162.4369.exe
[19:12:40] : [Step 24/25] Build -buildslist "DefaultBuild"
[19:12:40] : [Step 24/25]
[19:12:41] : [Step 24/25] Checking builds status
[19:12:41] : [Step 24/25] Build required.
[19:12:41] : [Step 24/25]
[19:12:41] : [Step 24/25] [ DefaultBuild ]
[19:12:41] : [Step 24/25] Building package: C:\TeamCity\buildAgent\work\96d08da23e9ead6f\Installers\Software_1.6.162.4369.exe
[19:12:41] : [Step 24/25] Prepare build
[19:12:42] : [Step 24/25] Detecting MSI incompatible resources
[19:12:42] : [Step 24/25] ERROR: Digital signature. Digital certificate selected for signing has expired! Please replace it with a valid SHA256 certificate.
[19:12:42] : [Step 24/25] WARNING: Digital signature. Digital certificate selected for signing is of SHA1 type. This might work but is not officially supported by Windows, a SHA256 certificate is recommended.
[19:12:42] : [Step 24/25] Build finished because an error was encountered.

Version 19.6 (BF52C98E)

Daniel
Posts: 8213
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Digital certificate expired but only for command line build

Mon Aug 15, 2022 6:48 am

Hi Peter,

This may happen if the Jenkins build runs under a different Windows User account than the one you use when you run Advanced Installer with UI.

When you create a certificate from Advanced Installer application, the certificate will be imported only under the current user certificates store. Thus it will be available only for the currently logged in Windows user account Advanced Installer with UI app runs under.

As a workaround you can try to export on disk the related certificate and enable the "Use file from disk" option in "Digital Signatures" page of your setup project. Thus the certificate will be used from disk instead of from certificates store.

Hope this helps.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

peterk
Posts: 9
Joined: Wed Aug 03, 2022 3:23 pm

Re: Digital certificate expired but only for command line build

Mon Aug 15, 2022 6:47 pm

Now we are facing a new issue:

[ DefaultBuild ]
14:13:38 Building package: C:\TeamCity\buildAgent\work\96d08da23e9ead6f\Software_1.6.168.4378.exe
14:13:38 Prepare build
14:13:38 Detecting MSI incompatible resources
14:13:38 Preparing files
14:14:22 Creating CAB file(s)
14:14:23 Signing CAB file(s)
14:14:23 The digital signing of the external cabinets failed. Error message: 'SignTool Error: No certificates were found that met all the given criteria.
14:14:23 File "C:\AdvancedInstallerProject\SiteServiceFull\Site Service Full-cache\part1\Site Service Full1.cab" can not be signed!
14:14:23

Daniel
Posts: 8213
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Digital certificate expired but only for command line build

Tue Aug 16, 2022 9:44 am

Hi,

This is really strange. Can you please make sure that the .AIP (setup project) file you are using in your TeamCity build has the "Use file from disk" option in "Digital Signatures" page?

Usually the above error occurs when the "Use from certificate store" option is set.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

peterk
Posts: 9
Joined: Wed Aug 03, 2022 3:23 pm

Re: Digital certificate expired but only for command line build

Tue Aug 16, 2022 2:31 pm

After changing to use "Use file from Disk" our errors are now gone and we are able to finally sign our .exe

Daniel
Posts: 8213
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Digital certificate expired but only for command line build

Wed Aug 17, 2022 6:09 am

This is great. I am glad you got this working.

Thank you for your follow up on this!

Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”