Zsolt Kollarits
Posts: 346
Joined: Fri May 29, 2015 10:36 am

Enable signing (digital signature) conditionally

Dear Advanced Installer Support Team,

Could you please take a look at the screenshot I attached? That's how we sign our files right now, but now I need to modify our .aip in a way that signing should be enabled on a particular PC (on our team build server) only. So if I open up the .aip project on my local development PC, and I create a new build .exe, then nothing should be signed. The reason is that our signature only works on our team build server.

I see 2 options to go:
1. Every time when I open the .aip project on my dev PC, I just manually disable the "Enable signing" checkbox -> in this way I will be able to build the project.
2. Instead of the signtool.exe (see screenshot) probably I could start a certain script (powershell?) that recognizes whether it runs on our team build server or not. If it's the team build server (where our signature is available), then the AI project will put the signature on, otherwise signing is just skipped.

We do not really want to use option 1 as the chances would be high, the somebody is opening up the .aip, disabling the signing option, doing some development job in the .aip, and then forgetting to enable the signing before the checkin. So we need a scripting solution, or if you have any other ideas, it would be appreciated if you would share it with us :)

Thanks in advance.

Best regards,
Zsolt
Attachments
signing.png
signing.png (13.07 KiB) Viewed 1031 times
Catalin
Posts: 6732
Joined: Wed Jun 13, 2018 7:49 am

Re: Enable signing (digital signature) conditionally

Hello Zsolt,
2. Instead of the signtool.exe (see screenshot) probably I could start a certain script (powershell?) that recognizes whether it runs on our team build server or not. If it's the team build server (where our signature is available), then the AI project will put the signature on, otherwise signing is just skipped.
You are indeed right about this.

For instance, what I'm thinking about is a little PowerShell script used for build - this script would be shipped with the AIP file.

What this script does is exactly what you said - check whether we are on the build machine or on a different machine and then proceed in enabling the signing option.

For enabling the signing, we can use the IDigitalSignature interface.

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Zsolt Kollarits
Posts: 346
Joined: Fri May 29, 2015 10:36 am

Re: Enable signing (digital signature) conditionally

Dear Catalin,

Do you have a tutorial, or a sample for us that helps to understand better how the IDigitalSignature interface works from a powershell script?
Where should we trigger that powershell script from, what do you think? As a custom action?

Our original plan was to point to a custom powershell script in the "Path" textbox of your Digital Signature panel. Is this idea might be working?

Please share a bit of more details with us, how this can be done. Thanks :)

Best regards,
Zsolt
Catalin
Posts: 6732
Joined: Wed Jun 13, 2018 7:49 am

Re: Enable signing (digital signature) conditionally

Hello Zsolt,

Unfortunately, I do not have a tutorial. However, I will do my best to better explain this.

First of all, what we are trying to control here is our own Advanced Installer project. This entire process is outside of Advanced Installer and therefore Custom Actions have no place here (as CAs are part of Advanced Installer itself). :)

What I was talking about was our PowerShell automation support that uses our own COM object to help you automate different parts of Advanced Installer. This is similar to the command line support we offer, but more powerful.

Here is an example PowerShell script to get you started:

Code: Select all

# load the Advanced Installer COM object

$advinst = new-object -ComObject AdvancedInstaller

# load the project

$proj = $advinst.LoadProject("C:\Users\Catalin\Desktop\Your Application.aip")

$proj.DigitalSignature.EnableSigning = "true"
In order to find more information about each section, we can use the Get-Member Powershell cmdlet (its' alias is "gm").

For instance, if we want to find out what methods and properties are available for "DigitalSignature", we can run the following:
Screenshot_158.png
Screenshot_158.png (221.4 KiB) Viewed 878 times

This PowerShell script can be placed near your AIP File and could be ran before each time someone opens the AIP file.

You can add to it additional logic to see whether you are on your Build Server or on another machine and then enable the option accordingly.

Hope things are clearer now! :)

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”