Error when signing install

[doclove]

When I am trying to build my install I am getting the error "Could not extract digital certificate" when signing the cab file. This is when I am trying to use the http://timestamp.globalsign.com/scripts/timstamp.dll timestamp service. The same happens with other services that I use, except for tsa.starfieldtech.com which gives the error "The application ran into a problem that it couldn't handle". The details are:

Code: Select all

[SEH_AV_WRITE_BADPTR] ACCESS_VIOLATION (0xc0000005) at address [0x7791de33]

Advanced Installer 15.2 build 30c2e84376
*** Stack Trace (x86) ***

[0x7791de33]  RtlInterlockedPushEntrySList()
[0x7791dcdb]  RtlInterlockedPushEntrySList()
[0x7791dd05]  RtlInterlockedPushEntrySList()
[0x7510d280]  CertCloseStore()
[0x01ad5677]  -----
[0x01bcfd0c]  -----
[0x01bce69e]  -----
[0x01ad44b5]  -----
[0x01ad3fb1]  -----
[0x0184d39b]  -----
[0x0184aa67]  -----
[0x0184a766]  -----
[0x01a4b774]  -----
[0x0197b7f0]  -----
[0x015ecc69]  -----
[0x0152cee5]  -----
[0x01535abc]  -----
[0x0221fb70]  -----
[0x01514001]  -----
[0x7795ad8f]  RtlInitializeExceptionChain()
[0x7795ad5a]  RtlInitializeExceptionChain()
[0x01170000]  MODULE_BASE_ADDRESS

I typically use the starfield timestamp service when I sign my code with this certificate.

I am able to sign code with this certificate outside of the installer without any issues. I can sign the install outside of the installer but I then get the mismatch error when running the install. I have seen the other references to issues with signing an install, but those haven't worked for me.

Please help.

[DanoGeorge]

Hello,

I had the same issue on Windows 7. Then I tried it with Windows 8.1 SDK and used SignTool. The same. Should I try the DigiSign?
I've just sent my .AIP (project file) to support (at) advancedinstaller (dot) com
Waiting for the reply.

[doclove]

I tried DigiSign and had the same error. Please post if you get a response and what the fix is.

[Daniel]

Hello,

We have tested your setup project configuration, but we cannot replicate the error.

Can you please disable the signing operation within "Digital Signatures" page of your setup project, rebuilt it without being signed and send us by email to support at advancedinstaller dot com a download link for the built setup package?

Also, can you please open Advanced Installer, go to "File" menu -> "Settings" -> "External Tools" and let us know which SignTool file path do you have set in the "SignTool.exe" field? Also, on what Windows OS version do you run your build operation?

As a side note, if you could isolate the same build error by using a test certificate and send it us a complete buildable sample this will be even great.

All the best,
Daniel

[Daniel]

Hello,

We have built your setup project and signed it within Advanced Installer with several certificates and it was successfully signed and built.

Can you please test the following scenario on your side:

1. run your EXE setup with the following command to extract its embedded MSI and CAB

Code: Select all

setup.exe /extract

2. use the same SignTool signing command line that Advanced Installer is using, to sign the MSI and then the CAB file too:

Code: Select all

signtool.exe sign /f <key>.pfx /p <pwd> /t <timestamp URL> /du <url> MyProduct.msi

3. check the results and make sure the CAB file can be successfully signed

Also, please note that you should make sure that your certificate is of Microsoft Authenticode type. Only Microsoft Authenticode certificate types can sign MSI and CAB installation files. So please double check this detail with your certificate vendor too.

All the best,
Daniel

[doclove]

I was able to figure out what my issue was and fix it. The problem was that the private key was not included as part of the .pfx file. This was a renewed certificate and it didn't include that. I found some instructions on how to include the private key with the .pfx file. After I did that then the install worked.

So note to others, even if your certificate works for code signing outside of Advanced Installer, if you are getting this error check to make sure that the private key is included with the certificate you are using.

[Daniel]

Thank you for your follow up on this.

Certainly your insights and solution will be available for other customers. Thank you for sharing this with us.

All the best,
Daniel