Marek
Posts: 24
Joined: Mon Dec 28, 2009 9:25 am

Message:SignTool Error: Invalid options: /fd

Tue Nov 12, 2013 3:46 pm

After upgrade from 10.6 to 10.7 I have an error.
error.png
error.png (42.49KiB)Viewed 30420 times
What is wrong?

Dan
Posts: 4513
Joined: Wed Apr 24, 2013 3:51 pm

Re: Message:SignTool Error: Invalid options: /fd

Tue Nov 12, 2013 3:54 pm

Hello,

Due to some users requests we changed the "SignTool" command line so that it will use the SHA256 encryption method which is more secure. However, this option is not supported by the older versions of the SDK "SignTool".

Can you try to install the latest SDK available at the following link and see if it works?
http://msdn.microsoft.com/en-US/windows ... p/aa904949

Also, you can try to use the Advanced Installer "SignTool" by going at the path from the attached image and uncheck the "Use an external tool" option. This should also work.

Please let us know if this worked.

Best regards,
Dan
Dan Ghiorghita - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

sjeslis
Posts: 308
Joined: Mon Aug 22, 2011 11:40 pm
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Tue Nov 12, 2013 4:57 pm

I'm seeing this on my upgrade from 10.3 -> 10.7. I will try the option of using Advanced Installer's SignTool.
Scott Jeslis
Senior Software Engineer
Cicero, Inc.

sjeslis
Posts: 308
Joined: Mon Aug 22, 2011 11:40 pm
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Tue Nov 12, 2013 5:04 pm

Using Advanced Installer's SignTool and our company's PFX file I get:

Preparing files... error.
The digital signing of the APPDIR\Server\Application Server\Cicero.XM.Enterprise.exe file failed. Error Message:digisign.exe error. The certificate is missing or it cannot be used for signing.

Build finished because an error was encountered.


So I'm guessing using Advanced Installer's SignTool is a no go for us.
Scott Jeslis
Senior Software Engineer
Cicero, Inc.

sjeslis
Posts: 308
Joined: Mon Aug 22, 2011 11:40 pm
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Tue Nov 12, 2013 5:33 pm

Using the referenced Windows 8.1 SDK and setting External Tools -> SignTool to point to the x64 version of the SignTool seemed to work.
Scott Jeslis
Senior Software Engineer
Cicero, Inc.

applejax33
Posts: 10
Joined: Wed Jul 24, 2013 7:24 pm

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 12:19 am

Ok so the problem with using the 8.1 or the included signtool is windows xp and vista do not see a valid Certificate.

Any thoughts?

Is there a way we can choose the SHA level?

sjeslis
Posts: 308
Joined: Mon Aug 22, 2011 11:40 pm
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 12:54 am

Thanks for posting about this Applejax. I tested my install on Windows XP and it does complain/rollback.

Wonder if there is a signtool between v6.0 SDK and 8.1 that can be used instead? Or is a matter of that SHA256 isn't supported in Windows XP?
Scott Jeslis
Senior Software Engineer
Cicero, Inc.

applejax33
Posts: 10
Joined: Wed Jul 24, 2013 7:24 pm

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 1:00 am

I tested the 8.0 as well an it still creates the same issue. Question is this a signtool issue? or is it a SHA issue? If it is a signtool issue then Microsoft has dropped support for XP and Vista early.....

Still looking to see what I can find

Ok here is what I have found about signtool 8 and higher:


/fd Specifies the file digest algorithm to use to create file signatures. The default algorithm is Secure Hash Algorithm (SHA-1).

Windows Vista and earlier: This flag is not supported.


So we need a way to choose :)

sjeslis
Posts: 308
Joined: Mon Aug 22, 2011 11:40 pm
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 1:11 am

SDK 7.0 failed as well. I'm guessing it's the SHA256 causing the issue.

I think Advanced Installer UI then needs to allow us (the end user) choose high encryption or lower encryption.

This will be my second attempt to get off 10.3 that I've had to rollback, the first time was 10.5.
Scott Jeslis
Senior Software Engineer
Cicero, Inc.

Marek
Posts: 24
Joined: Mon Dec 28, 2009 9:25 am

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 8:21 am

Dan wrote:Hello,

Due to some users requests we changed the "SignTool" command line so that it will use the SHA256 encryption method which is more secure. However, this option is not supported by the older versions of the SDK "SignTool".

Can you try to install the latest SDK available at the following link and see if it works?
http://msdn.microsoft.com/en-US/windows ... p/aa904949

Also, you can try to use the Advanced Installer "SignTool" by going at the path from the attached image and uncheck the "Use an external tool" option. This should also work.

Please let us know if this worked.

Best regards,
Dan
Thanks, Dan.
I had a SignTool.exe from SDK v6.0. I changed it to v7.1A and now it works correctly.

Bogdan
Posts: 2791
Joined: Tue Jul 07, 2009 7:34 am
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 10:43 am

Hi,

@sjeslis and @applejax33
Thank you guys for the intensive feedback. After reading your posts we started analyzing the digital signature of the packages signed with SHA-256 on XP and Vista and indeed found some problems.

Here is what we found.Setup packages signed with SHA-256 behave in the following way:

- on XP, different from English (OS language), the "Digital Signature" tab is no longer visible if you check the "Properties" of the setup file

- on Vista (only English OS tested) the Digital Signature tab is visible, but when the UAC prompt appears during the installation it says the published is unknown, thus it behaves as if the package is not digitally signed

Can you please validate the above, i.e. that you have a version of XP SP3, with the system language different from English? We tested German and Korean XP machines.

Also, can you validate the same statement I made for Vista?

We are on tho this issue, we'll be back with a solution in the next days, most probably there will be a 10.7.1 release.

Regards,
Bogdan
Bogdan Mitrache - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

sjeslis
Posts: 308
Joined: Mon Aug 22, 2011 11:40 pm
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 3:31 pm

Sorry Bogdan. I only have English Windows XP SP3.

In that case the installation won't even finish as Windows Installer thinks the signature in the cab file is bad and ends up rolling the installation back.
Scott Jeslis
Senior Software Engineer
Cicero, Inc.

Bogdan
Posts: 2791
Joined: Tue Jul 07, 2009 7:34 am
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 3:45 pm

The signature in the CAB error might be related to this: http://www.advancedinstaller.com/forums ... 945#p19375

Did this problem appeared to you only after you signed the package with the new method, i.e SHA256?

Regards,
Bogdan
Bogdan Mitrache - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

sjeslis
Posts: 308
Joined: Mon Aug 22, 2011 11:40 pm
Contact:  Website

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 3:48 pm

Yes I just started to see it when switching to A.I. 10.7 and SHA256.
Scott Jeslis
Senior Software Engineer
Cicero, Inc.

applejax33
Posts: 10
Joined: Wed Jul 24, 2013 7:24 pm

Re: Message:SignTool Error: Invalid options: /fd

Wed Nov 13, 2013 4:20 pm

Bogdan wrote:Hi,

@sjeslis and @applejax33
Thank you guys for the intensive feedback. After reading your posts we started analyzing the digital signature of the packages signed with SHA-256 on XP and Vista and indeed found some problems.

Here is what we found.Setup packages signed with SHA-256 behave in the following way:

- on XP, different from English (OS language), the "Digital Signature" tab is no longer visible if you check the "Properties" of the setup file

- on Vista (only English OS tested) the Digital Signature tab is visible, but when the UAC prompt appears during the installation it says the published is unknown, thus it behaves as if the package is not digitally signed

Can you please validate the above, i.e. that you have a version of XP SP3, with the system language different from English? We tested German and Korean XP machines.

Also, can you validate the same statement I made for Vista?

We are on tho this issue, we'll be back with a solution in the next days, most probably there will be a 10.7.1 release.

Regards,
Bogdan
On XP and Vista I have the same results, It can not see the Certificate and or thinks that it is invalid. I am only testing these on the English version of windows.

Return to “Common Problems”