Suggested Articles
MSI signing with smart card -- too many prompts
I'm using a signing certificate (from digicert) which is stored on a smart card. When I create and build an MSI I'm receiving too many PIN prompts for smart card during the single build. It can be more than 10 prompts (depending on a binary files count in the project) at the time, it is way annoying.
®
Re: MSI signing with smart card -- too many prompts
Hello,
Can you please enable the "Store encrypted password in project file" option from "Digital Signature" page and then try again and see if the behavior still persist?
All the best,
Daniel
Can you please enable the "Store encrypted password in project file" option from "Digital Signature" page and then try again and see if the behavior still persist?
All the best,
Daniel
Re: MSI signing with smart card -- too many prompts
Sorry for delayed response.
No, I can't enable this option as it is not showing in the Digital Signature page. I'm using AI 10,9. Maybe, it was added to newer versions?
No, I can't enable this option as it is not showing in the Digital Signature page. I'm using AI 10,9. Maybe, it was added to newer versions?
®
Re: MSI signing with smart card -- too many prompts
Hello,
The "Store encrypted password in project file" option can be used only for certificate files which have a password. If your certificate file doesn't have a password, then this option will be hidden. However, I forwarded your scenario to our development team and it seems this happens because during signing operation Advanced Installer try to access the certificate file for every file within the "Digital Signature page -> Files configured for signing section". Considering that your certificate file is on a smart card, as already reported you will be prompted for PIN for every file AI signs during build process. This is our default implementation. Starting with version 11.2 of Advanced Installer we have added an improvement so that multiple files can be signed at once during build process, so if you will upgrade to AI 11.2 or newer version you should receive a reduced number of PIN prompts during the signing operation.
As a workaround, in order to avoid this behavior (if you are allowed to) you can import your certificate in the system store and use it from system store or you can copy it on a local path and use it from disk.
All the best,
Daniel
The "Store encrypted password in project file" option can be used only for certificate files which have a password. If your certificate file doesn't have a password, then this option will be hidden. However, I forwarded your scenario to our development team and it seems this happens because during signing operation Advanced Installer try to access the certificate file for every file within the "Digital Signature page -> Files configured for signing section". Considering that your certificate file is on a smart card, as already reported you will be prompted for PIN for every file AI signs during build process. This is our default implementation. Starting with version 11.2 of Advanced Installer we have added an improvement so that multiple files can be signed at once during build process, so if you will upgrade to AI 11.2 or newer version you should receive a reduced number of PIN prompts during the signing operation.
As a workaround, in order to avoid this behavior (if you are allowed to) you can import your certificate in the system store and use it from system store or you can copy it on a local path and use it from disk.
All the best,
Daniel
Re: MSI signing with smart card -- too many prompts
There is no password, because the certificate is stored on smart card, rather than PKCS#12/PFX file.If your certificate file doesn't have a password, then this option will be hidden
I'll take a look into a new version.Starting with version 11.2 of Advanced Installer we have added an improvement so that multiple files can be signed at once during build process
I know, I can't dictate or recommend you how your product must work, but I have several thoughts, which you can forward to your development team for further consideration.
I made a little research and found that you use (as of AI10.9) a separate .exe file to sign files. Obviously that this .exe file is executed each time the file is signed and looses the handle to a private key each time the process ends. If you are using .NET framework, then you can use direct .NET calls to create and attach authenticode signatures. Otherwise, it is a bit more complicated, but it is possible to use native CryptoAPI functions to do this. In this case, you acquire the handle only once and use it for subsequent calls without having to prompt the PIN until the handle is released.
it is not possible. It is a main function of smart card -- private key never lefts the card and it is never exposed to an application, all cryptographic operations are performed within the card.As a workaround, in order to avoid this behavior (if you are allowed to) you can import your certificate in the Certificate Store and use it from system store or you can copy it on a local path and use it from disk.
In any way, thanks for your help.
®
Re: MSI signing with smart card -- too many prompts
Hello,
All the best,
Daniel
I've forwarded your thoughts to our development team. Thank you for your suggestions.I made a little research and found that you use (as of AI10.9) a separate .exe file to sign files. Obviously that this .exe file is executed each time the file is signed and looses the handle to a private key each time the process ends. If you are using .NET framework, then you can use direct .NET calls to create and attach authenticode signatures. Otherwise, it is a bit more complicated, but it is possible to use native CryptoAPI functions to do this. In this case, you acquire the handle only once and use it for subsequent calls without having to prompt the PIN until the handle is released.
All the best,
Daniel