Hendrik
Posts: 30
Joined: Thu Dec 04, 2014 4:49 pm

Sign exe with external tool

Wed Feb 21, 2018 5:17 pm

Hi,

we want to sign our exe with an external service, i.e. we have no possibility to have a pfx or other types of certificates.
As I know from other topics regarding this issue signing a exe file after building it with AI will result in a crash while installing
because exe sign is not equal to the msi sign.
Is there anything we can do about it? Can we interrupt the build after the msi was created to sign this msi with our external service before
build continues or something else?

BR,
Hendrik

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Sign exe with external tool

Thu Feb 22, 2018 3:58 pm

Hello Hendrik,

For this you can create a custom (sibling) application called "Signtool.exe" which will sign the installation files using your external service workflow. And just configure Advanced Installer to use your custom "Signtool.exe" app to sign the installation files at build time.

You can proceed like this:

1. create your own small application (also named "Signtool.exe" and which should have a 6.2 or greater file version) which when called parse the received parameters, extract the filenames and further process them using your signing service worflow to sign the files

2. open Advanced Installer, go to "File menu -> Options -> External Tools" and set your custom "Signtool.exe" in the "SignTool.exe" field

3. rebuild your project

At build time Advanced Installer just calls the "SignTool.exe" app, specified in the path field from step 2, and send as argument to "SignTool.exe" the current file which needs to be signed before inserting it in the setup package.

Let us know if this helped.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Hendrik
Posts: 30
Joined: Thu Dec 04, 2014 4:49 pm

Re: Sign exe with external tool

Thu Feb 22, 2018 5:02 pm

Hi Daniel

thanks for the info. What we actually have to do is starting a executable, where the call is as follow:
sign.exe autoasign <file>

I have a batch script where I start the sign.exe autosign <file>

Now the <file> must be set somehow by advanced installer but when I set this batch to the external tools,
the build process failed because of the error:

The digital signing of the APPDIR\Installer.exe file failed. Error message: ''

It seems the file names are not put into my batch.

How can I resolve this?

BR,
Hendrik

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Sign exe with external tool

Tue Feb 27, 2018 6:12 pm

Hello Hendrik,

Instead of using a batch script you should try to use an executable program. You could build your own small executable (named exactly "SignTool.exe") which when called parse the arguments string it receives, extract the file path you require and further on call the batch and pass the file path parameter to it.

Let us know if this helped.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Hendrik
Posts: 30
Joined: Thu Dec 04, 2014 4:49 pm

Re: Sign exe with external tool

Wed Feb 28, 2018 2:46 pm

Hi Daniel,

thanks for the info. I created a new Project where I execute our sign tool with your incoming arguments:

sign
/a
/d
Name der Anwendung
/t
http://timestamp.digicert.com
C:\Users\freun_he\Documents\Advanced Installer\Projects\Name der Anwendung\Name der Anwendung-cache\part1\Name der Anwendung1.cab


We use the last argument for the signing process from AI, is that correct?
After the signing process the error occurs in AI I added as document.

What causes this issue?
BR,
Hendrik
Attachments
error.png
error.png (24.84KiB)Viewed 6538 times

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Sign exe with external tool

Fri Mar 02, 2018 12:46 pm

Hello Hendrik,

I've talked with our development team and it seems this happens because the MSI and CAB installation archives must be always signed with Microsoft's original SignTool.exe tool. This is because SignTool.exe has a special signing protocol when it comes to sign MSI and CAB archives.

So, what you should configure your bogus SignTool.exe app to act like this:

1. when the last argument has .MSI or .CAB extension you should launch the Microsoft's SignTool.exe tool to sign the file
2. otherwise you can use your own signing service to sign the file get from the last argument

Let us know if this helped.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Hendrik
Posts: 30
Joined: Thu Dec 04, 2014 4:49 pm

Re: Sign exe with external tool

Mon Mar 05, 2018 11:34 am

Hi Daniel,

this won't work in my case because the win sign tool needs the same certificate as our sign tool.
But our sign tool is executed without a local certificate i.e. we send our packages to an external sign tool service
where the certificate is stored hence the is no chance to sign the cab and msi files for further processing because
we do not have a certificate.

Is there any other option? We want to use the enhanced user inferface being not available anymore if we change our
output format to msi and we want to have the nice looking installers.

BR,
Hendrik

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Sign exe with external tool

Mon Mar 05, 2018 3:00 pm

Hello Hendrik,

As a possible workaround you can go to "Builds" page -> "Configuration" tab and instead of using a CAB installation archive you can choose to use the LZMA archiving option. This way you should avoid the CAB signing problem and you should be able to sign all installation resources using your own signing service.

Let us know if this helped.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Hendrik
Posts: 30
Joined: Thu Dec 04, 2014 4:49 pm

Re: Sign exe with external tool

Tue Mar 13, 2018 10:02 am

Hi Daniel,

this did the trick! Thanks very much.

BR,
Hendrik

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Sign exe with external tool

Wed Mar 14, 2018 12:38 pm

You are always welcome Hendrik.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”