Invalid digital signature during installation

Having trouble running Advanced Installer? Got a bug to report? Post it all here.
Post Reply
kiranchauhan91
Posts: 24
Joined: Fri Jan 29, 2016 10:21 am

Invalid digital signature during installation

Post by kiranchauhan91 » Fri Jan 29, 2016 10:34 am

Hello,

We have used advanced installer to build installer for our product. We have used GlobalSign certificate to sign the installer and the DLL used withing installer. While it works for most of our customers, there are few of them getting certificate errors. Some of our customers run Windows Server installations where some of the standard certificates have been removed or Automatic Root Certificate Update has been disabled resulting in the following error during installation: "A file that is required cannot be installed because the cabinet file [long path to cab file] has an invalid digital signature. This may indicate that the cabinet file is corrupt.". The error is explained in detail in this blog: http://support.muhimbi.com/entries/9729 ... stallation.

So we would like to know what is your experience is with the certificate vendor (GlobalSign) and why quite a few of our customers choose to disable updating of certs.

Hope to get meaningful reply.

Regards,
Kiran Chauhan

Dan
Posts: 4458
Joined: Wed Apr 24, 2013 3:51 pm

Re: Invalid digital signature during installation

Post by Dan » Fri Jan 29, 2016 11:55 am

Hi Kiran and welcome to Advanced Installer.
So we would like to know what is your experience is with the certificate vendor (GlobalSign) and why quite a few of our customers choose to disable updating of certs.
I'm afraid we do not have to many details regarding this certificate vendor of why some users choose to disable the certs updating.

This may happen if the certificate you are using is issued by a certificate provider which is not in the Member List of the Windows Root Certificate Program. In this case, to avoid this behavior you can try to import your certificate in the Certificate Store of the related target machines. Please take a look on the "Import a Certificate" article.

The core of the problem is that your Windows installation is unable to contact the certificate provider that can verify the installer’s security certificate. I'm afraid your options are very limited. Here is what you can try:
  • 1-In order to prevent this in the future, you can use another certificate from another CA authority which is recognized by default by Windows (e.g. VerySign). You might find useful the following thread OT: Where to get Code Signing Certificate?
    2-Ask your user to turn off digital signature checking
In order to turn off digital signature checking, you need to change some settings in the internet options.
  • You can access these settings either via the Control Panel or Internet Explorer
    • Start> Control Panel > Internet Options
    • Internet Explorer> Click on Tools> Internet Options > Advanced
  • From there, tick the box next to 'Allow software to run or to install even if signature is invalid'
  • Click on the OK button to validate your choice.
If there is anything else I can help you with, please let me know.

Best regards,
Dan
Dan Ghiorghita - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

kiranchauhan91
Posts: 24
Joined: Fri Jan 29, 2016 10:21 am

Re: Invalid digital signature during installation

Post by kiranchauhan91 » Fri Mar 04, 2016 11:35 am

Hello,

Turning off digital signature checking using the steps suggested did not help us.
In order to turn off digital signature checking, you need to change some settings in the internet options.
You can access these settings either via the Control Panel or Internet Explorer
Start> Control Panel > Internet Options
Internet Explorer> Click on Tools> Internet Options > Advanced
I have found a nice blog that talks about why admins are using 'Turn off Automatic Root Certificates Update' Policy. http://serverfault.com/questions/752146 ... ate-policy

The weird thing is that the installer starts, our DLLs are unpacked to the temp folder correctly and can be executed. It is purely that later on in the process when the CAB files are extracted the error happens. When I check with a different installer (nintex' installer from http://nintexdownload.com/sl/supportfil ... ow2013.exe) then the signature cannot be verified either (When I disable updating of root certs).

Regards,
Kiran Chauhan

Dan
Posts: 4458
Joined: Wed Apr 24, 2013 3:51 pm

Re: Invalid digital signature during installation

Post by Dan » Mon Mar 14, 2016 8:55 am

Hi Kiran,

Thank you for your post. I'm sure this will help future users in the same situation.

Best regards,
Dan
Dan Ghiorghita - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Post Reply