prerak6962
Posts: 112
Joined: Mon Dec 08, 2014 5:26 pm

Sign installer after creation

Wed Feb 20, 2019 3:15 pm

Hello,
I have a Windows project for which an installer has been created using Advanced Installer.

I sign the installer EXE and some other files together after the installer has been generated.
Due to this, the MSI generated by the Advanced installer doesn't get signed and the EXE does.

So, when I execute the installer it throws an error saying "EXE and MSI file signature mismatch".

So, is there a way/workaround to resolve this?
My constraint, is I can not sign the installer using the inbuilt "Digital Signature" window of Advanced Installer.

Thank you.
Prerak

korr
Posts: 48
Joined: Tue Sep 09, 2014 3:13 pm

Re: Sign installer after creation

Wed Feb 20, 2019 6:35 pm

I'd like to know of a workaround for this issue as well.

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Sign installer after creation

Thu Feb 21, 2019 11:59 am

Hello Pherak, Korr,

Indeed, that error message is thrown when you digitally sign your EXE file outside of Advanced Installer, because the MSI from within the EXE is not signed.
My constraint, is I can not sign the installer using the inbuilt "Digital Signature" window of Advanced Installer.
If the reason behind this is because you do not have access to the certificate, you can try to proceed as it follows:

- sign the setup using a test certificate on your machine ("Digital Signature" --> "Enable signing" --> "Use file from disk" --> select your test certificate)

- sign the resulted EXE with your main certificate

- rebuild and deploy

Hope this helps.

All the best,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

korr
Posts: 48
Joined: Tue Sep 09, 2014 3:13 pm

Re: Sign installer after creation

Thu Feb 21, 2019 3:38 pm

This only works if you append a new signature to the EXE, you cannot replace it. This means we would have a test certificate signature going out on our EXEs labeled by the machine that built it, which may (and likely is) not be acceptable for all of our customers.

For my issue of not being able to use the signing process within advanced installer, is the certificates we sign code with are on cards, and there is no way to pass through to the build process our cards for signing.

prerak6962
Posts: 112
Joined: Mon Dec 08, 2014 5:26 pm

Re: Sign installer after creation

Thu Feb 21, 2019 5:52 pm

Hi Catalin,

Thank you for your response.

If I do the things that you suggested, the signature of the MSI and the EXE will still not match as MSI would be signed by a test certificate and EXE by the main certificate. Please correct me if I am wrong.

Or do you mean that, after signing the EXE with main certificate, if I rebuild the .aip project, it will resign the MSI as well with the main certificate?

Thank you.
Prerak

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Sign installer after creation

Mon Feb 25, 2019 1:11 pm

Hello guys,

@Korr,
This only works if you append a new signature to the EXE, you cannot replace it. This means we would have a test certificate signature going out on our EXEs labeled by the machine that built it, which may (and likely is) not be acceptable for all of our customers.
Indeed, you are right. I am afraid I am not aware of any workaround for this issue other than using the card to sign the EXE on the build machine.

I will try to further investigate this and, if I come to a conclusion, I will let you know.

@Prerak,
If I do the things that you suggested, the signature of the MSI and the EXE will still not match as MSI would be signed by a test certificate and EXE by the main certificate. Please correct me if I am wrong.
By following what I have said, here is what will actually happen: the MSI will be signed once (by the test certificate), while the EXE will be signed twice (by the test certificate and by your main certificate). At install time, the check will be done and, by seeing that the MSI and the EXE have been signed with the same certificate (the test certificate), the error will no longer be spawned.

All the best,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

prerak6962
Posts: 112
Joined: Mon Dec 08, 2014 5:26 pm

Re: Sign installer after creation

Mon Feb 25, 2019 6:58 pm

Hi Catalin,

Thank you for the details.
I followed the suggested approach, and signed the EXE with two certificates (test and main).

However, my test certificate is a self signed one (as I only need for this workaround), so whenever I run the built EXE on my test machine, the error still appears.
If I add the test certificate as a trusted certificate in the certificate store of the test machine, it works fine after that.

So, is there another workaround to this, or I am still missing something?

Prerak

korr
Posts: 48
Joined: Tue Sep 09, 2014 3:13 pm

Re: Sign installer after creation

Wed Feb 27, 2019 5:01 pm

While trying to look into this issue more, I noticed we have installers that _DON'T_ exhibit this behavior, even when they are very similar in architecture... the only difference I have been able to come up with is the CreateVersion in the AIP file.

The failing product has a CreateVersion of 8.6
The products that don't have this error are all of CreateVersion 11.0 and higher


If I change the create version of the offending product it will no longer throw this error when I sign the EXE, however it also doesn't complete all of its actions anymore either.

@prerak6962 I'm curious what the CreateVersion of your AIP file is? (If you open the AIP in a text editor it should be an attribute in the second line)

prerak6962
Posts: 112
Joined: Mon Dec 08, 2014 5:26 pm

Re: Sign installer after creation

Wed Feb 27, 2019 6:46 pm

I'm curious what the CreateVersion of your AIP file is?
It's 12.5.1 for me.

If my understanding is correct, it's the version of the Advanced installer using which the project was created for the very first time.

korr
Posts: 48
Joined: Tue Sep 09, 2014 3:13 pm

Re: Sign installer after creation

Wed Feb 27, 2019 7:19 pm

prerak6962 wrote:
I'm curious what the CreateVersion of your AIP file is?
It's 12.5.1 for me.

If my understanding is correct, it's the version of the Advanced installer using which the project was created for the very first time.
Thats my understanding as well. I was hoping maybe that would be part of the reason behind the signing issue.

I have installers on CreateVersion of 12.4.2 and 13.4 that don't exhibit the same behavior...

The 'broken' installers even if upgraded to 12.4.2/13.4 still exhibit the behavior unless the CreateVersion is increased as well... but increasing the Create Version breaks other items.

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Sign installer after creation

Wed Mar 06, 2019 3:21 pm

Hello guys,

First of all, I apologize for the delayed reply.

@Prerak,

I am not sure why the workaround did not do the job for you. In order for me to further investigate this, could you please send me a copy of your .AIP file and also a download link for the setup built using the earlier specified .AIP by e-mail at support at advancedinstaller dot com?

If possible, it would be even better if you could create a buildable sample which reproduces this behavior and send it over at the e-mail address specified above.

@korr,

From what I know, in the older versions, we would fail the installation, but without displaying any error messages (silently). For more information about this, you can have a look on our "Why the "Are you sure you want to cancel installation" message is thrown after clicking the [ Install ] button?" FAQ.

All the best,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

korr
Posts: 48
Joined: Tue Sep 09, 2014 3:13 pm

Re: Sign installer after creation

Wed Mar 06, 2019 6:56 pm

Catalin wrote:From what I know, in the older versions, we would fail the installation, but without displaying any error messages (silently).
I will double check with my team and my own logs (to see what actions happened), however I recall that the MSI when logged would still report "Installation Successful", and for sure didn't send me to the "Are you sure you want to cancel installation" message.

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Sign installer after creation

Thu Mar 07, 2019 10:32 am

Hello Korr,

Sure. Please let me know the results of the investigation.

All the best,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

korr
Posts: 48
Joined: Tue Sep 09, 2014 3:13 pm

Re: Sign installer after creation

Thu Mar 07, 2019 3:43 pm

Catalin wrote:Hello Korr,

Sure. Please let me know the results of the investigation.

All the best,
Catalin
The AIPs that we manually modified the CreateVersion return an Installation Successful in the logs, however they do not actually perform any of their actions... this maybe the silent failure you're talking about? (However I'm not very interested in this case... it doesn't seem wise to change that variable without know all of what it does).

The AIPs that were not manually modified but have signed EXEs sometimes will throw the mis-matched signing error. I have 2 EXE's which were signed but can still run manually without error, and complete all of their execution. I have 2 other EXE's which were signed but will not run manually... they throw the signed error.

I haven't been able to tell what makes these 4 items behave differently... neither of the successful ones are particularly different than the two failing ones... and when attempting to control for the differences I haven't found anything that produced a (good) change.

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Sign installer after creation

Wed Mar 13, 2019 1:27 pm

Hello Korr,

Thank you for your followup on this.

Indeed, this is a strange behavior you're facing there. The only thing I can think about is the fact that the two EXEs which are not throwing the error were somehow signed from within Advanced Installer before being signed outside of it as I have explained in the earlier post of this thread.

All the best,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”