Cams1337
Posts: 10
Joined: Mon Dec 11, 2023 6:43 pm

issues with advanced installer and DigiCert signing via azure. pipelines

Good afternoon. I have been working on setting up EV code signing via DigiCert and advanced installer for my company. The current issue I'm running into is getting code and EXE signed correctly via the azure pipelines. Every way I Try, I'm running into an error.

The first error I get when singing via azure pipelines alone and no attempt to sign via Api file, I get a signature mismatch when installing the exe.

The Second error I am seeing when I'm signing via the aip file and azure pipelines for the exe i get the expected output and our pipeline completed saying it was signed correctly. upon trying to install our new exe, the file immediately asks the user if they are "sure they want to close the application and stop the install." and the user cannot continue to begin the install.
the pipeline code im using is
.\smctl.exe healthcheck
.\smctl windows certsync --keypair-alias=$(KeyPairAlias)
.\smctl.exe sign verify --fingerprint="$(CertThumbPrint)" --input "$(Build.ArtifactStagingDirectory)\exe"


The third error I see when trying to sign.
<ROW TimeStampUrl="http://timestamp.digicert.com" SignerDescription="[|ProductName]" SignOptions="7" SignTool="0" UseSha256="1" Subject="CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=&quot;DigiCert, Inc.&quot;, C=US" Store="User\MY" CustomToolPath="C:\Program Files\DigiCert\DigiCert Keylocker Tools\signtool.exe" CustomToolCmdLine="sign /sha1 &quot;*******************************************&quot; /tr &quot;http://timestamp.digicert.com&quot; /td &quot;SHA256&quot; /fd &quot;SHA256&quot;"/>

when I sign via just the aip file with the snippit above I get this advanced installer error during our pipeline run saying
"[ DefaultBuild ]
Building package: C:\agent\_work\422\a\exe\application-2020.3.6-(x64).exe
Prepare build
Detecting MSI incompatible resources
Preparing files
Creating CAB file(s)
Signing CAB file(s)
Win32 Error [2148204800]: "No signature was present in the subject. "
"


any Help would be greatly appreciated.
Thank you!
Catalin
Posts: 6727
Joined: Wed Jun 13, 2018 7:49 am

Re: issues with advanced installer and DigiCert signing via azure. pipelines

Hello and welcome to our forums,

First of all, please accept my apologies for such a delayed reply.
The first error I get when singing via azure pipelines alone and no attempt to sign via Api file, I get a signature mismatch when installing the exe.
This is a common issue when signing the installer outside of Advanced Installer. The reason for this is the fact that the MSI inside the EXE is not signed with the same certificate and therefore the mismatch error is thrown.

"Why the "Are you sure you want to cancel installation" message is thrown after clicking the [ Install ] button?"
when I sign via just the aip file with the snippit above I get this advanced installer error during our pipeline run saying
"[ DefaultBuild ]
Building package: C:\agent\_work\422\a\exe\application-2020.3.6-(x64).exe
Prepare build
Detecting MSI incompatible resources
Preparing files
Creating CAB file(s)
Signing CAB file(s)
Win32 Error [2148204800]: "No signature was present in the subject. "
"
Regarding this, could you please have a look over the following thread and let me know if it helps?

Signing with Digicert Keylocker

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Cams1337
Posts: 10
Joined: Mon Dec 11, 2023 6:43 pm

Re: issues with advanced installer and DigiCert signing via azure. pipelines

im still waiting for any type of real solution please. the previous linked thread is dead and the solution DOES NOT work
Catalin
Posts: 6727
Joined: Wed Jun 13, 2018 7:49 am

Re: issues with advanced installer and DigiCert signing via azure. pipelines

Hello,

I am sorry to hear that this does not work.

if possible, could you please give me some more details about the error you are encountering now? Or is it the same error?

Also, are you using signtool.exe or smctl.exe as explained in our How to sign your package with Azure Code Signing or Digicert Keylocker? article?

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Cams1337
Posts: 10
Joined: Mon Dec 11, 2023 6:43 pm

Re: issues with advanced installer and DigiCert signing via azure. pipelines

I've managed to get our products msi and exe signed via advanced installer manually with smctl and this command for anybody who needs help. Took a lot of configurations of click to sign and smctl with DigiCert's secure code locker. the directions are on DigiCert site they are spreed between 5 pages. must fallow in order for best results and not accidently misconfiguring.

Command-
smctl.exe sign --keypair-alias "key pair" --config-file "path\ to\ pk11conf\" --input "path\ to\ file\ to\ sign"


The issue I'm having when signing via pipelines is. still trying to figure that out
Win32 Error [2148204800]: "No signature was present in the subject. "
Cams1337
Posts: 10
Joined: Mon Dec 11, 2023 6:43 pm

Re: issues with advanced installer and DigiCert signing via azure. pipelines

everything I try doesn't work does advanced installer have any documentation about THEIR UPDATE to work with digicert and EV CODE SIGNING
Catalin
Posts: 6727
Joined: Wed Jun 13, 2018 7:49 am

Re: issues with advanced installer and DigiCert signing via azure. pipelines

Hello,

I am really sorry to hear that this is still not working.

So, if I understand correctly, are you saying that this command:

Code: Select all

smctl.exe sign --keypair-alias "key pair" --config-file "path\ to\ pk11conf\" --input "path\ to\ file\ to\ sign"
works outside of Advanced Installer but does not work if you input it as explained the following article?

https://www.advancedinstaller.com/user- ... -sign.html

I'm asking because this is really strange and I really cannot see a reason why it would work outside of Advanced Installer but not work if you use the same tool inside Advanced Installer.

If possible, please make sure you followed these steps:

1. Install DigiCert Keylocker client tool
2 Download certificate
3. Create 4 user Environment Variables

Code: Select all

SM_API_KEY (Digicert provided API key during certificate creation)

Code: Select all

SM_CLIENT_CERT_FILE (Path to certificate, including name of certificate)

Code: Select all

SM_CLIENT_CERT_PASSWORD (Certificate password)

Code: Select all

SM_HOST (digicert URL)
4. Add Digicert Keylocker & path to signing tool C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64 to System env Path

5. Restart server for environment variables to be recognized

6. Add friendly name to certificate after reboot

7. Run "smctl healthcheck" to validate certificaste

8. Run "smctl windows certsync --keypair-alias=<friendly name> --store=system" to get certificate added to local computer Personal store.
9. In AI, use custom option for Digital Signature and use:
Path:C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe
Command Line:sign /csp "DigiCert Signing Manager KSP" /kc <friendly name> /f <path to crt> /tr "http://timestamp.digicert.com" /td sha256 /fd SHA256

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Cams1337
Posts: 10
Joined: Mon Dec 11, 2023 6:43 pm

Re: issues with advanced installer and DigiCert signing via azure. pipelines

good morning, smctl is configured and works. when manually singing via command line I can sign anything, when it comes to advanced installer, we can sign with the smctl command just fine for everything but EXE with resources inside it. which is the issue, as well as we cannot build anything via pipelines.

This is an issue for us because we usually build a exe for our product not an msi but only msi builds and signs correctly
the pipeline issue causes us to have to manually build and sign our code.

when I build a msi with (resourced inside it) I get a successful build

[ DefaultBuild ]
Building package:
C:\path\to\smi\output
Prepare build
Detecting MSI incompatible resources
Preparing files
Reusing archives from cache
Preparing binaries
Creating MSI database
Inserting CAB file(s) into MSI
Writing Summary Information
Signing MSI
This file was signed with the certificate: our cert name
Validating MSI

Total build time: 3 min 44 sec.

Build finished successfully.



when I try to sign and create a exe (with resources inside it) i get a error
"

[ DefaultBuild ]
Importing digital certificate
Building package: path to exe in pipelines
Prepare build
Detecting MSI incompatible resources
Preparing files
Creating CAB file(s)
Signing CAB file(s)
Win32 Error [2148204800]: "No signature was present in the subject. "
"

when i manually try to sign and build and exe (with resources inside it) i get an error "
Building package:
path to exe outputted
Prepare build
Detecting MSI incompatible resources
Preparing files
Creating CAB file(s)
Signing CAB file(s)
Win32 Error [2148204800]: "No signature was present in the subject. "
Cams1337
Posts: 10
Joined: Mon Dec 11, 2023 6:43 pm

Re: issues with advanced installer and DigiCert signing via azure. pipelines

also, we can't use sign Tool because It can't sign PowerShell scripts.
Catalin
Posts: 6727
Joined: Wed Jun 13, 2018 7:49 am

Re: issues with advanced installer and DigiCert signing via azure. pipelines

Hello,

The fact that this doesn't work manually either indicates that there might be something else here at fault, not Advanced Installer.

I will discuss with our QA team to see if we can test this specific scenario to see whether we can reproduce it on our end or not.
also, we can't use sign Tool because It can't sign PowerShell scripts.
SignTool can sign PowerShell scripts. We have an option to sign scripts in Advanced Installer and we are using SignTool for those binaries (i.e. it signs the script with the same certificate you input in the "Digital Signature" page).

That being said, could you please make sure your scripts aren't actually signed?

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Cams1337
Posts: 10
Joined: Mon Dec 11, 2023 6:43 pm

Re: issues with advanced installer and DigiCert signing via azure. pipelines

yes, like I said before I can sign anything with DigiCert and smctl via command line tool or click to sign.This is what DigiCert suggested to use and everything works on that side. like I said previously in my last post I can build a MSI executable that is signed just fine and works but we REQUIRE an EXE which give us a "no signature found in subject" error. every type of build I try works and is signed BUT the EXE (with resources inside it) the MSI that goes inside the exe DOES NOT get signed and gives me a no signature found in subject. it only happens with this, and this also happens via pipelines. aswell
Catalin
Posts: 6727
Joined: Wed Jun 13, 2018 7:49 am

Re: issues with advanced installer and DigiCert signing via azure. pipelines

Hello,

When signing in the pipeline, you are using our Azure DevOps task, correct?

If so, could you please forward me the following resources:

- a copy of the AIP file

- the debug log from the Azure DevOps - at a pipeline level, there should be an "Enable Debug Logging" option, please enable this and forward me the log file

by email at support at advancedinstaller dot com.

And, once again, for clarification:

1. SMCTL --> EXE

- manually signging the EXE --> does not work

- signing from Advanced Installer GUI --> does not work

- signing from a pipeline --> does not work

2. SMCTL --> MSI --> works in all 3 above

Please confirm these as well.

Looking forward to hearing from you!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
zak
Posts: 5
Joined: Mon Jan 15, 2024 8:26 am

Re: issues with advanced installer and DigiCert signing via azure. pipelines

Hello,

the command you provided with signtool works:
sign /csp "DigiCert Signing Manager KSP" /kc <friendly name> /f <path to crt> /tr "http://timestamp.digicert.com" /td sha256 /fd SHA256

But is there any way to use the fingerprint in order not to have the certificate path in AIP file, please?

The command working in cmd is this (but not working in Adavanced installer)
smctl sign --fingerprint <certificate fingerprint> --input <path to unsigned file or folder>

Note: all the required values are stored in user's environment variables, or windows credential manager.

Thank you.

Zak
Catalin
Posts: 6727
Joined: Wed Jun 13, 2018 7:49 am

Re: issues with advanced installer and DigiCert signing via azure. pipelines

Hello Zak and welcome to our forums,

I am glad to hear you got this working.

Regarding your question, I've done some further digging into this and from what I found, it looks like signtool does not have that "fingerprint" parameter.

What I found, however, is the following StackOverflow thread which seems to be debating a similar scenario:

Automating code signing with signtool.exe, but without storing the certificate or password

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”