Due to some users requests we changed the "SignTool" command line so that it will use the SHA256 encryption method which is more secure. However, this option is not supported by the older versions of the SDK "SignTool".
Also, you can try to use the Advanced Installer "SignTool" by going at the path from the attached image and uncheck the "Use an external tool" option. This should also work.
Using Advanced Installer's SignTool and our company's PFX file I get:
Preparing files... error.
The digital signing of the APPDIR\Server\Application Server\Cicero.XM.Enterprise.exe file failed. Error Message:digisign.exe error. The certificate is missing or it cannot be used for signing.
Build finished because an error was encountered.
So I'm guessing using Advanced Installer's SignTool is a no go for us.
Scott Jeslis
Senior Software Engineer
Cicero, Inc.
I tested the 8.0 as well an it still creates the same issue. Question is this a signtool issue? or is it a SHA issue? If it is a signtool issue then Microsoft has dropped support for XP and Vista early.....
Still looking to see what I can find
Ok here is what I have found about signtool 8 and higher:
/fd Specifies the file digest algorithm to use to create file signatures. The default algorithm is Secure Hash Algorithm (SHA-1).
Windows Vista and earlier: This flag is not supported.
Due to some users requests we changed the "SignTool" command line so that it will use the SHA256 encryption method which is more secure. However, this option is not supported by the older versions of the SDK "SignTool".
Also, you can try to use the Advanced Installer "SignTool" by going at the path from the attached image and uncheck the "Use an external tool" option. This should also work.
Please let us know if this worked.
Best regards,
Dan
Thanks, Dan.
I had a SignTool.exe from SDK v6.0. I changed it to v7.1A and now it works correctly.
@sjeslis and @applejax33
Thank you guys for the intensive feedback. After reading your posts we started analyzing the digital signature of the packages signed with SHA-256 on XP and Vista and indeed found some problems.
Here is what we found.Setup packages signed with SHA-256 behave in the following way:
- on XP, different from English (OS language), the "Digital Signature" tab is no longer visible if you check the "Properties" of the setup file
- on Vista (only English OS tested) the Digital Signature tab is visible, but when the UAC prompt appears during the installation it says the published is unknown, thus it behaves as if the package is not digitally signed
Can you please validate the above, i.e. that you have a version of XP SP3, with the system language different from English? We tested German and Korean XP machines.
Also, can you validate the same statement I made for Vista?
We are on tho this issue, we'll be back with a solution in the next days, most probably there will be a 10.7.1 release.
In that case the installation won't even finish as Windows Installer thinks the signature in the cab file is bad and ends up rolling the installation back.
Scott Jeslis
Senior Software Engineer
Cicero, Inc.
@sjeslis and @applejax33
Thank you guys for the intensive feedback. After reading your posts we started analyzing the digital signature of the packages signed with SHA-256 on XP and Vista and indeed found some problems.
Here is what we found.Setup packages signed with SHA-256 behave in the following way:
- on XP, different from English (OS language), the "Digital Signature" tab is no longer visible if you check the "Properties" of the setup file
- on Vista (only English OS tested) the Digital Signature tab is visible, but when the UAC prompt appears during the installation it says the published is unknown, thus it behaves as if the package is not digitally signed
Can you please validate the above, i.e. that you have a version of XP SP3, with the system language different from English? We tested German and Korean XP machines.
Also, can you validate the same statement I made for Vista?
We are on tho this issue, we'll be back with a solution in the next days, most probably there will be a 10.7.1 release.
Regards,
Bogdan
On XP and Vista I have the same results, It can not see the Certificate and or thinks that it is invalid. I am only testing these on the English version of windows.