Hello,
I have built a "Single EXE Setup" package (Mixed 32/64) using Advanced Installer Professional 9.2 and enabled Digital Signature facility within AI to do the signing for me as it builds and packages the pieces up. Although Windows Server 2008 R2 x64 is selected as one of the supported Operating Systems, the signatures AI generates get recognized properly on all Windows OS editions except Server 2008 R2 x64. Has anybody run into this problem before? Is there a workaround?
Let me add that if I sign any executable using my signature manually, it gets recognized properly on Windows Server 2008 R2. So I'm confident that it's not an issue with neither the OS or the Digital Certificate I'm using.
Thanks.
KT
Suggested Articles
Re: AI Signature is not recognized on Win2008 R2 x64
Hi,
If the digital signature is correctly seen by other OSes it should work without any problems on Win2008 too.
Can you reproduce this in a new test project? If so, can you please send that over to us at support at advancedinstaller dot com so we can analyze the problem?
Regards,
Bogdan
If the digital signature is correctly seen by other OSes it should work without any problems on Win2008 too.
Can you reproduce this in a new test project? If so, can you please send that over to us at support at advancedinstaller dot com so we can analyze the problem?
Regards,
Bogdan
Re: AI Signature is not recognized on Win2008 R2 x64
Hello Bogdan,
Thanks so much for looking into this issue.
The problem turned out to be rooted in the Certificate Chains that was used in the signature vs. what was recognized on that Operating
System. After I updated the test PC (Windows Server 2008 R2 x64) with all the latest and greatest patches that was available through Windows Update and also pointed my Advanced Installer to use the Signtool executable that comes with WDK rather than the one that comes by default with the Visual Studio SDK, the problem disappeared and everything is working as expected now.
Thanks again.
KT
Thanks so much for looking into this issue.
The problem turned out to be rooted in the Certificate Chains that was used in the signature vs. what was recognized on that Operating
System. After I updated the test PC (Windows Server 2008 R2 x64) with all the latest and greatest patches that was available through Windows Update and also pointed my Advanced Installer to use the Signtool executable that comes with WDK rather than the one that comes by default with the Visual Studio SDK, the problem disappeared and everything is working as expected now.
Thanks again.
KT
Re: AI Signature is not recognized on Win2008 R2 x64
Hello Bogdan,
I wanted to share with you some new developments. It seems like that even though my problem got resolved, AI still doesn't sign the files properly.
I did some analysis on the files that AI signs and found out that AI doesn't sign them with the proper Cross-Certificate; resulting in rejection of the signature on some operating systems. If I sign those files again manually using the right cross-certificate, they get recognized on the target OS.
Is there anyway to tell AI which Cross-Certificate to use? What is the command structure that AI uses to sign stuff (signtool ....)?
Thanks.
Kambizt
I wanted to share with you some new developments. It seems like that even though my problem got resolved, AI still doesn't sign the files properly.
I did some analysis on the files that AI signs and found out that AI doesn't sign them with the proper Cross-Certificate; resulting in rejection of the signature on some operating systems. If I sign those files again manually using the right cross-certificate, they get recognized on the target OS.
Is there anyway to tell AI which Cross-Certificate to use? What is the command structure that AI uses to sign stuff (signtool ....)?
Thanks.
Kambizt
Re: AI Signature is not recognized on Win2008 R2 x64
Hi Kambizt,
The current version of Advanced Installer allows you to select the desired certificate, just go to Digital Signature page and select it from the combo.
If you want to, you can also select the certificate file directly from the machine, using the file from disk option.
Regards,
Bogdan
The current version of Advanced Installer allows you to select the desired certificate, just go to Digital Signature page and select it from the combo.
If you want to, you can also select the certificate file directly from the machine, using the file from disk option.
Regards,
Bogdan
Re: AI Signature is not recognized on Win2008 R2 x64
Hello Bogdan,
I'm using Advanced Installer 9.3 Professional and the only thing I can change on the "Digital Signature" page is the Signature files themselves; not the cross-certificate that AI uses to sign the files. I even used the "Use file from disk" option; but found no place to be able to identify the cross-certificate.
What happens is that AI uses the right signature (my signature) and then it grabs the wrong Cross-Certificate from the certificate store and creates a Hash. When you go on a different computer and look at the digital signature on the file, it confirm that my signature is OK; but the one that approved my signature (In this case Verisign) is using an unrecognized signature.
Your advice is really appreciated.
Thanks.
Kambizt
I'm using Advanced Installer 9.3 Professional and the only thing I can change on the "Digital Signature" page is the Signature files themselves; not the cross-certificate that AI uses to sign the files. I even used the "Use file from disk" option; but found no place to be able to identify the cross-certificate.
What happens is that AI uses the right signature (my signature) and then it grabs the wrong Cross-Certificate from the certificate store and creates a Hash. When you go on a different computer and look at the digital signature on the file, it confirm that my signature is OK; but the one that approved my signature (In this case Verisign) is using an unrecognized signature.
Your advice is really appreciated.
Thanks.
Kambizt
Re: AI Signature is not recognized on Win2008 R2 x64
Hi Kambizt,
For the couple last versions we have inserted in Advanced Installer our own digital signing tool, so we can allow users that don't have the sign tools from Microsoft on their machines to easily sign their package. However, Advanced Installer is configurable so you can choose which sign tool to use when it applies the signature. Just go in the application menu, upper left side corner, under Options -> External Tools.
In the new dialog select for SignTool.exe the executable provided with the SDK from Microsoft and rebuild the package. If this works, it means as you said there is a small bug in our signing tool, so we shall start an investigation based on the details received from you.
Regards,
Bogdan
This is not possible, but you can try something else which should work.Is there anyway I can sign the two MSI files and other "Files Configured For Signing" manually during a "Single EXE setup (resources inside)" while AI generates the final EXE?
For the couple last versions we have inserted in Advanced Installer our own digital signing tool, so we can allow users that don't have the sign tools from Microsoft on their machines to easily sign their package. However, Advanced Installer is configurable so you can choose which sign tool to use when it applies the signature. Just go in the application menu, upper left side corner, under Options -> External Tools.
In the new dialog select for SignTool.exe the executable provided with the SDK from Microsoft and rebuild the package. If this works, it means as you said there is a small bug in our signing tool, so we shall start an investigation based on the details received from you.
Regards,
Bogdan
Re: AI Signature is not recognized on Win2008 R2 x64
Hello Bogdan,
I got the exact same results with the External Tools too !!!
As I said earlier, AI doesn't seem to include the right certificate chain when signing the files. To explain it better, I have used the same SAMPLE project that was sent to me by AI team regarding a different issue, and signed it both manually and using AI (SignTool in both cases). Again the size of the package that AI signs is 2KB smaller than the one I manually signed using the following command:
signtool sign /a /v /ac C:\Verisign-Cross-Certificate\MSCV-VSClass3.cer /t http://timestamp.verisign.com/scripts/timestamp.dll C:\sample.msi
I'm going to send you all the files and screenshots of the problem I'm refering to via email.
Thanks.
Kambiz
I got the exact same results with the External Tools too !!!
As I said earlier, AI doesn't seem to include the right certificate chain when signing the files. To explain it better, I have used the same SAMPLE project that was sent to me by AI team regarding a different issue, and signed it both manually and using AI (SignTool in both cases). Again the size of the package that AI signs is 2KB smaller than the one I manually signed using the following command:
signtool sign /a /v /ac C:\Verisign-Cross-Certificate\MSCV-VSClass3.cer /t http://timestamp.verisign.com/scripts/timestamp.dll C:\sample.msi
I'm going to send you all the files and screenshots of the problem I'm refering to via email.
Thanks.
Kambiz
Re: AI Signature is not recognized on Win2008 R2 x64
Hi Kambiz,
Unfortunately Advanced Installer does not support the switch "/ac" for adding the cross-certificate. When you set Advanced Installer to get the most suited certificate from the store it only calls SignTool with "/a".
Have you considered converting our SPC certificate to an PFX and use that to sign the package? This type of certificate should contain all the required information.
Regards,
Bogdan
Unfortunately Advanced Installer does not support the switch "/ac" for adding the cross-certificate. When you set Advanced Installer to get the most suited certificate from the store it only calls SignTool with "/a".
Have you considered converting our SPC certificate to an PFX and use that to sign the package? This type of certificate should contain all the required information.
Regards,
Bogdan
Re: AI Signature is not recognized on Win2008 R2 x64
Hi Bogdan,
Thanks much for following this matter so urgently and putting so much efforts into it.
I will consider using PFX files to get around the issue.
Best regards,
Kambizt
Thanks much for following this matter so urgently and putting so much efforts into it.
I will consider using PFX files to get around the issue.
Best regards,
Kambizt
Re: AI Signature is not recognized on Win2008 R2 x64
Hi Kambizt,
As always, any user requests/problems are very important to us. Making sure our existent features work as expected is top priority.
Regards,
Bogdan
As always, any user requests/problems are very important to us. Making sure our existent features work as expected is top priority.
Regards,
Bogdan