Jimmy_Cnir
Posts: 6
Joined: Wed Sep 27, 2017 8:10 am

EXE and MSI file signature mismatch

Mon Nov 06, 2017 1:12 pm

Hi Sir.

We used advanced installer version 14.4 to build package,
and installed package on others PC/NB, appear "exe and msi file signature mismatch".
step 1: add file into "post-install".
step 2: enable Digital Signature page "Enable signing"
step 3: used SignTool.exe signed with SHA1 or SHA256

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: EXE and MSI file signature mismatch

Fri Nov 10, 2017 10:30 am

Hello,

I've tested the scenario but cannot replicate the issue. Can you please send us to support at advancedinstaller dot com the AIP (project file) and a verbose log of such an installation so we can further test and investigate this?

Also, can you let us know if you sign the EXE setup package outside of Advanced Installer. This error may appear if you do sign the EXE setup package outside of the Advanced Installer. In this case the EXE will detect that the MSI embedded inside it doesn't have a signature, thus there will be a signature mismatch between EXE bootstrapper and its embedded MSI. In this case the installation will be aborted. If you want to digitally sign your setup package you should use only our "Digital Signature" page.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

sfaust
Posts: 48
Joined: Tue Oct 13, 2015 11:57 pm

Re: EXE and MSI file signature mismatch

Mon Nov 27, 2017 9:58 pm

I have a similar issue to this, however I think I understand where it's coming from but I don't know what can be done about it...

I am developing a program for another company through a consulting agreement. They have their own certificate that they would like to use to sign, however they (understandably) don't want to give me all the credentials for their cert in order to automatically sign through the AI interface. For program code (exe's and dll's) as well as msi installs I have been able to just build it and then hand it off to them to sign. However, they would like to use the advanced UI which requires exe build. When I do this there is only an exe, not a separate msi for them to sign. When they sign the exe it ends up with this mismatch since the embedded msi isn't signed...

Is there a way for them to sign both the exe and msi without having AI? What are the options for dealing with this situation?

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: EXE and MSI file signature mismatch

Tue Nov 28, 2017 10:22 am

Hello,

As a workaround you could use your own certificate (even a test one) to sign the setup package from Advanced Installer. Then you can forward the EXE setup to the customer and they can further on sign the setup with their own certificate. This way the EXE and MSI signature mismatch behavior will be avoided.

As another option you could choose to build the setup as an EXE with resources outside (check this option under "Build" page into your setup project)) and forward all the built setup resources to the customer to be signed on their side.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

sfaust
Posts: 48
Joined: Tue Oct 13, 2015 11:57 pm

Re: EXE and MSI file signature mismatch

Tue Nov 28, 2017 6:49 pm

Wouldn't that create the same issue since the msi would be signed by my certificate and the exe would be theirs? or is it just that it has to be signed by SOMETHING in both or neither? Running some tests on that now...

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: EXE and MSI file signature mismatch

Wed Nov 29, 2017 11:45 am

or is it just that it has to be signed by SOMETHING in both or neither?
That's right.

Just let us know if there is anything else we can help you with.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Ningxin
Posts: 1
Joined: Mon Jan 17, 2022 9:42 am

Re: EXE and MSI file signature mismatch

Mon Jan 17, 2022 10:12 am

Hello, sir
At present, my package publisher is deployed on the ECS, and jenkens is used to complete the continuous integration task.
The final result of packaging the publisher is an EXE installation package.
At present, I also encounter this problem. Let me describe the current situation in detail:
1. Start the Jenkins task. This process is completed on the ECS. The last step of the task is to use virboxprotector to encrypt and protect the DLL and exe published by ourselves.
2. Then manually enter the ECS, open the AIP file, download the DLL and exe involved in packaging to the local, and use the ukey provided by the digital certificate provider to sign the EV code
3. Overwrite the signed file to the original path on the ECS
4. Manually run the build step of AIP on the ECS to obtain the packaged installation package
5. Download the installation package locally and use the ukey provided by the digital certificate provider to sign the EV code
6. During installation, the problem of "EXE and MSI file signature mismatchs" was encountered
After reading the post, I found that it may be caused by the problem of "can you let us know if you sign the EXE setup package outside of advanced installer".
My question now is:
1. Do I only need to sign the unique installer (EXE format) after packaging, or do I only need to sign the DLL encrypted with virboxprotector, or sign all DLLs involved in packaging?
2. To solve this problem, should I configure "production information-digital signature-settings" in AIP
3. How to configure "production information-digital signature-settings"
My digital signature batch file commands are as follows:
signtool sign /v /as /fd sha256 /sha1 33xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /tr http://timestamp.sectigo.com /td sha256 all_ files/*.*
Add: my EV code signature is completed using a USB flash disk (called ukey by the digital certificate provider).
If you need more information, I can provide my email. After getting in touch, I can send AIP files or pictures describing the problem.
All the best,
Ningxin

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: EXE and MSI file signature mismatch

Thu Jan 20, 2022 4:06 pm

Hello Ningxin and welcome to our forums,

In the following FAQ, it is explained why this error occurs:

Why do I get the "Unmatching digital signature between EXE bootstraper and MSI database" message?

Basically, the error indeed occurs because resign the EXE outside of Advanced Installer.

In the FAQ, a solution to this is also presented.
1. Do I only need to sign the unique installer (EXE format) after packaging, or do I only need to sign the DLL encrypted with virboxprotector, or sign all DLLs involved in packaging?
You would need to have the EXE and the MSI (which is embedded in the EXE) signed with the same certificate.

I believe the best way would be to use our "Digital Signatures" page. There, you will be able to sign all the setup resources (EXE, MSI and its CAB) using the same certificate.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

marcusl0104
Posts: 3
Joined: Wed May 25, 2022 6:27 am

Re: EXE and MSI file signature mismatch

Mon Jun 06, 2022 2:52 am

Hi there,
Would it be possible to set the a digital certificate with hardware token (e.g. usb thumb drive)?

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: EXE and MSI file signature mismatch

Wed Jun 08, 2022 4:47 pm

Hello Marcus,

Please have a look over the following article:

How to use the USB eToken for Extended Validation Code Signing in Advanced Installer

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”