ALink
Posts: 9
Joined: Mon Aug 21, 2023 10:45 am

Issue with Code Signing with Custom Sign Tool after update of AI

Hi,

for more then a year we were using AI version 18.7 with a custom code signing tool to sign the installer. This worked perfectly without any issues.

Recently we updated our installer with new language settings and custom action, and in that instance also updated to AI version 20.1.1. Since then, the code signing with the custom code signing tool is not working anymore because in the last step of the sign process (uploading the .exe package after already sucessfully signing the .cab and .msi package) a wrong file is uploaded to the code signing service. I tried to figure out on my own why this might be happening but without success.

We use a jenkins pipeline to build the installer. The Line in the .aip script for the code signing has not changed between the script versions. We use:

Code: Select all

<COMPONENT cid="caphyon.advinst.msicomp.DigCertStoreComponent">
    <ROW TimeStampUrl="http://timestamp.digicert.com" SignerDescription="[|ProductName]" SignOptions="7" SignTool="0" UseSha256="1" CustomToolPath="E:\prereq\RSSignTool.exe" CustomToolCmdLine="sign -c rs_codesign_sha2 -u [|SIGNUSERNAME] -p [|SIGNUSERPW] -rt 300 -v"/>
  </COMPONENT>
  
This is how the pipeline output looks for the 18.7 script:

Code: Select all

[ DefaultBuild ] 
Creating MSI database (de) 
Writing Summary Information 
Creating MSI database (en) 
Writing Summary Information 
Building package: e:\jk\workspace\GSA.CSM.SLP\CSM_SLP_Installer_SC_Misc\build\ReleaseSC_7_9_2023\installer\Server\Rohde-Schwarz_INRADIOS_CSM_Server_4.11.0.0_Setup.exe 
Prepare build 
Detecting MSI incompatible resources 
Preparing files 
Creating CAB file(s) 
Signing CAB file(s) 
Creating transforms for additional languages 
Creating MSI database 
Writing Summary Information 
Signing MSI 
This file was signed with the certificate: Rohde & Schwarz GmbH & Co. KG 
Creating EXE file 
Signing EXE file 
This file was signed with the certificate: Rohde & Schwarz GmbH & Co. KG 
Validating MSI 
 
Total build time: 15 min 56 sec.
 
Build finished successfully.
This is how the pipeline output looks for the 20.1.1 script:

Code: Select all

[ DefaultBuild ] 
Creating MSI database (de) 
Writing Summary Information 
Creating MSI database (en) 
Writing Summary Information 
Building package: e:\jk\workspace\GSA.CSM.SLP\CSM_SLP_Installer_SC_Misc\build\ReleaseSC_4_9_2023\installer\Server\Rohde-Schwarz_INRADIOS_CSM_Server_4.11.0.0_Setup.exe 
Prepare build 
Detecting MSI incompatible resources 
Preparing files 
Creating CAB file(s) 
Signing CAB file(s) 
Creating transforms for additional languages 
Creating MSI database 
Writing Summary Information 
Signing MSI 
This file was signed with the certificate: Rohde & Schwarz GmbH & Co. KG 
Creating EXE file 
The digital signing of the EXE failed. Error message: 'Command Line Parameters: [ rssigntool [ sign [ -c <rs_codesign_sha2> ] [ -u <(removed)> ] [ -p <*> ] [ -rt <300> ] [ -v ] [ file <C:\Windows\SystemTemp\BUIA857.tmp\resBB3B.tmp> ] *[ --debugservicenodenumber <0> ] *[ --failovertimeout <3600> ] *[ --filetransferblocksize <1024> ] *[ --debugclientversion <1.12.0> ] ] ]

Connecting code signing service ...
Connecting service node: (removed) ...
Connecting service node:(removed) ...
Connecting service node: (removed) ...
Connecting service node: (removed) ...
Maximum available service nodes: 4
Releasing unused service node: (removed) ...
Releasing unused service node: (removed) ...
Releasing unused service node:(removed) ...
Using service node:(removed) ...

Service Node        : (removed)
Transaction ID      : (removed)
Available Disk Space: 493 GB
Active Transactions : 1
Username            : (removed)
Computer Name       :(removed)

Uploading file: resBB3B.tmp [46 KB]

0%
    

Preparing for signing ...

    

Only a detached signature is supported for the file type: TMP

Exit Code: 1 (Invalid Command Line)

For a possible solution please check our Digital Signature FAQ from:
https://www.advancedinstaller.com/user-guide/faq-digital-signature.html  ' 
 
Build finished because an error was encountered.
Does anyone have an idea why instead of the .exe file a random .tmp file in windows/systemTemp might be uploaded?
Catalin
Posts: 7028
Joined: Wed Jun 13, 2018 7:49 am

Re: Issue with Code Signing with Custom Sign Tool after update of AI

Hello,

This is indeed quite strange.

If possible, could you please try building and signing your Advanced Installer project on a new machine, manually?

When doing so, does this issue still reproduce?

I'm asking this because, as far as I know, nothing has changed in the signing support between these two versions and we also use signtool.exe, a third party tool and therefore we don't have much control over the outcome.

That being said, it makes me think that perhaps something has changed on the build machine that resulted in this behavior.

So, could you please try to build your project manually on a new machine and let me know if this still reproduces?

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
ALink
Posts: 9
Joined: Mon Aug 21, 2023 10:45 am

Re: Issue with Code Signing with Custom Sign Tool after update of AI

Hello,

I did some further testing:
  • building from a different machine: same behaviour, wrong file uploaded to codesigning
  • building the old 18.7 script without any changes I did to the isntaller: Right file is uploaded to code signing, code signing does work
  • implementing all changes I did to the installer in the 18.7 version: Wrong file is uploaded to codesigning, this time:
    The digital signing of the EXE failed. Error message: 'Command Line Parameters: [ rssigntool [ sign [ -c <rs_codesign_sha2> ] [ -u <sa_dd_bld> ] [ -p <*> ] [ -rt <300> ] [ -v ] [ file <C:\Windows\TEMP\BUIEE26.tmp\advA2CA.tmp\installerConfnig.aiui> ] *[ --debugservicenodenumber <0> ] *[ --failovertimeout <3600> ] *[ --filetransferblocksize <1024> ] *[ --debugclientversion <1.12.0> ] ] ]
So my current guess is that one of the change I did to the installer is cause of the issue and I am now trying to figure out what change. Possible candidates:
  • change to a multilingual package in the user interface + selection of language by the user
  • Adding translations to three custom properties and with that the addition of a dictionary.ail
  • Adding a new redistributable to the prerequisites
  • Changing the title of message from a display message box custom action to a property for multi language reasons
  • Adding the execution of a custom program in the wizards dialog stage after path resolution => this I already tested to be not the issue
I am now doing different tests with different candidates disabled to maybe find out what the issue is
ALink
Posts: 9
Joined: Mon Aug 21, 2023 10:45 am

Re: Issue with Code Signing with Custom Sign Tool after update of AI

to add to my previous post, and to clarify: the upgrade vom 18.7 to 20.1.1 was NOT the issue ;)
Catalin
Posts: 7028
Joined: Wed Jun 13, 2018 7:49 am

Re: Issue with Code Signing with Custom Sign Tool after update of AI

Hello,

This is indeed a strange scenario.

If possible, after testing this, if you manage to find the culprit, please forward me a test-case that would help me reproduce this on my end as well.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
ALink
Posts: 9
Joined: Mon Aug 21, 2023 10:45 am

Re: Issue with Code Signing with Custom Sign Tool after update of AI

Hi,

I was able to finally track down the setting that was responsible for the wrong file being uploaded, so if any one else has the same issue, maybe this helps:

In user interace => themes => settings under "use enhanced user interface":
  • when selecting "always (install, uninstall maintenance)" the wrong file was being uploaded
  • when selecting "only on install" the actual exe is uploaded and everything works
Since we don't really need the enhanced user interface on uninstallation and maintenance this works for us for now, but it is still strange that this is somehow connected :D
I am just glad it works now.

Sadly I can't really provide any sources that would be needed to build the installer due to confidentiality, I could only provide the .aip if that helps?

BR,
Adrian
Catalin
Posts: 7028
Joined: Wed Jun 13, 2018 7:49 am

Re: Issue with Code Signing with Custom Sign Tool after update of AI

Hello Adrian,

Thank you very much for your followup on this and for sharing your solution with us!

I am really glad you managed to find the culprit and, once again, thanks for your efforts!

Glad everything is working as expected now. :)

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”