we want to sign our exe with an external service, i.e. we have no possibility to have a pfx or other types of certificates.
As I know from other topics regarding this issue signing a exe file after building it with AI will result in a crash while installing
because exe sign is not equal to the msi sign.
Is there anything we can do about it? Can we interrupt the build after the msi was created to sign this msi with our external service before
build continues or something else?
For this you can create a custom (sibling) application called "Signtool.exe" which will sign the installation files using your external service workflow. And just configure Advanced Installer to use your custom "Signtool.exe" app to sign the installation files at build time.
You can proceed like this:
1. create your own small application (also named "Signtool.exe" and which should have a 6.2 or greater file version) which when called parse the received parameters, extract the filenames and further process them using your signing service worflow to sign the files
2. open Advanced Installer, go to "File menu -> Options -> External Tools" and set your custom "Signtool.exe" in the "SignTool.exe" field
3. rebuild your project
At build time Advanced Installer just calls the "SignTool.exe" app, specified in the path field from step 2, and send as argument to "SignTool.exe" the current file which needs to be signed before inserting it in the setup package.
thanks for the info. What we actually have to do is starting a executable, where the call is as follow:
sign.exe autoasign <file>
I have a batch script where I start the sign.exe autosign <file>
Now the <file> must be set somehow by advanced installer but when I set this batch to the external tools,
the build process failed because of the error:
The digital signing of the APPDIR\Installer.exe file failed. Error message: ''
It seems the file names are not put into my batch.
Instead of using a batch script you should try to use an executable program. You could build your own small executable (named exactly "SignTool.exe") which when called parse the arguments string it receives, extract the file path you require and further on call the batch and pass the file path parameter to it.
thanks for the info. I created a new Project where I execute our sign tool with your incoming arguments:
sign
/a
/d
Name der Anwendung
/t http://timestamp.digicert.com
C:\Users\freun_he\Documents\Advanced Installer\Projects\Name der Anwendung\Name der Anwendung-cache\part1\Name der Anwendung1.cab
We use the last argument for the signing process from AI, is that correct?
After the signing process the error occurs in AI I added as document.
I've talked with our development team and it seems this happens because the MSI and CAB installation archives must be always signed with Microsoft's original SignTool.exe tool. This is because SignTool.exe has a special signing protocol when it comes to sign MSI and CAB archives.
So, what you should configure your bogus SignTool.exe app to act like this:
1. when the last argument has .MSI or .CAB extension you should launch the Microsoft's SignTool.exe tool to sign the file
2. otherwise you can use your own signing service to sign the file get from the last argument
this won't work in my case because the win sign tool needs the same certificate as our sign tool.
But our sign tool is executed without a local certificate i.e. we send our packages to an external sign tool service
where the certificate is stored hence the is no chance to sign the cab and msi files for further processing because
we do not have a certificate.
Is there any other option? We want to use the enhanced user inferface being not available anymore if we change our
output format to msi and we want to have the nice looking installers.
As a possible workaround you can go to "Builds" page -> "Configuration" tab and instead of using a CAB installation archive you can choose to use the LZMA archiving option. This way you should avoid the CAB signing problem and you should be able to sign all installation resources using your own signing service.