Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

SignTool.exe gets broken after February 27, 2020—KB4535996 Windows Update

Tue Mar 03, 2020 10:52 am

After you install "February 27, 2020—KB4535996" Windows Updates the system signing tool (SignTool.exe) no longer works properly.

Therefore when you try to build a setup project configured to be digitally signed, Advanced Installer throws the following error:

ERROR: Digital signature. KB 3118401 is not installed. Selected "signtool.exe" requires the Windows update known as "Update for Universal C Runtime in Windows, KB 3118401"

This is due to a check we perform to determine that SignTool.exe and its dependencies are installed and correctly functioning on current machine. And unfortunately this is no longer the case after applying KB4535996 update.

After this Windows system update it seems SignTool.exe no longer works.

We reported this issue to Microsoft and will be waiting for a fix.

Until Microsoft fixes this bug the only workaround we found so far is to manually rollback/uninstall KB4535996 system update.
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

h.hasenack
Posts: 15
Joined: Wed Aug 26, 2015 1:28 pm

Re: SignTool.exe gets broken after February 27, 2020—KB4535996 Windows Update

Tue Mar 03, 2020 11:23 am

There is a workadround available. I can confirm it worked for me. (from MSDN site, see previous post)

-->> One workaround would be to rename the wintrust.dll file in the signtool.exe directory and then copy the new wintrust.dll into the directory. (From the Windows\System32 folder into the signtool.exe folder)
----------------------------
Kind regards,

Hans Hasenack
S&G Asset Management
Netherlands

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: SignTool.exe gets broken after February 27, 2020—KB4535996 Windows Update

Wed Mar 04, 2020 10:03 am

Hi Hans,

Thank you for your heads up on this.

We have tested the workaround and we can confirm it. Reiterating again the workaround steps:

1. open Advanced Installer app and go to "File -> Settings -> External Tools"
2. check the path of "SignTool.exe" field and open this path in Windows Explorer (e.g. "C:\Program Files (x86)\Caphyon\Advanced Installer 16.8\third-party\winsdk\x64\" or "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\")
3. copy the "wintrust.dll" file from "C:\Windows\System32" over the one from "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\" folder and replace it
4. try to rebuild your setup project in Advanced Installer

Note: If Advanced Installer is configured to use an x86 version of Signtool, then you should copy the "wintrust.dll" file from "C:\Windows\SysWOW64".

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: SignTool.exe gets broken after February 27, 2020—KB4535996 Windows Update

Thu Mar 26, 2020 1:57 pm

Hi,

Just a follow up on this thread in regards to this error message:

ERROR: Digital signature. KB 3118401 is not installed. Selected "signtool.exe" requires the Windows update known as "Update for Universal C Runtime in Windows, KB 3118401"

The same error is thrown when you are using a custom implemented SignTool (your own a custom SignTool app that calls the system SignTool) that does not return any string when called with the following command line:

Code: Select all

signtool.exe sign /?
The above error is thrown by the actual implementation of our Digital Signature support. When a higher version of SignTool is specified in our External Tools settings, at build time we make sure there is installed a newer C runtime that latest version of SignTool make use of. This check is done by us by simply calling SignTool with the following arguments:

Code: Select all

signtool.exe sign /?
to display its help file. If SignTool returns a help string we interpret it is correctly working. If not we interpret this as a SignTool dependency issue and the above error is thrown.

So, long story short, when using a custom SignTool.exe you should just make sure that your custom SignTool.exe returns any string when called with a command like this:
signtool.exe sign /?

For instance, if you are using C# programming language you could just add the following code to your main() method:

Code: Select all

if ((args[0]) == "sign")
            {
                Console.WriteLine("help string");
             }
All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

fizzyade
Posts: 1
Joined: Wed Apr 15, 2020 4:16 am

Re: SignTool.exe gets broken after February 27, 2020—KB4535996 Windows Update

Tue Apr 21, 2020 5:22 am

Hi Dan,

I’d actually sent you a follow up about sighting by email and then I found this post, so it’s possible to create a proxy stub to the signing tool....and AdvancedInstaller won’t complain?

So I can do:

SignTool.exe (my stub) -> scsigntool.exe -> SignTool.exe (real tool)

If so, this fixes my issue with automating code signing.

Is there anything I need to be aware of, apart from the above information? How is AdvancedInstaller detecting the version (I.e the error it throws when I try to use scsigntool directly) so that I can produce a working stub?

Thanks

Adrian

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: SignTool.exe gets broken after February 27, 2020—KB4535996 Windows Update

Wed Apr 22, 2020 7:08 am

Hi Adrian,

This should be all. Just make sure your stub has the same name as SignTool.exe, a file version higher than 10.0.0.0 and that respond to a sign /? command.

Let us know if you face any further issues.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”