I got a new Code Signing certificate (from Sectigo), on a YubiKey dongle.
I have followed the instructions here:
https://www.advancedinstaller.com/user- ... gning.html
We don't have an EV certificate, but I don't think that should make a difference.
However, at the point of signing (we are running this in a script), I get:
Detecting MSI incompatible resources
ERROR: Digital signature. Digital certificate selected for signing has expired! Please replace it with a valid SHA256 certificate.
WARNING: Digital signature. Digital certificate selected for signing is of SHA1 type. This might work but is not officially supported by Windows, a SHA256 certificate is recommended.
There are no other certificates on the build system. I have checked that the exported certificate is the correct one and is valid (copied it to a Linux system and got the text using OpenSSL).
See attachment for my setup.
Any ideas?
Suggested Articles
-
SimonMatthews
- Posts: 3
- Joined: Wed Dec 13, 2023 12:15 am
Code signing failing -- SOLVED!
- Attachments
-
- Screenshot at 2024-01-05 11-02-17.png (25.75 KiB) Viewed 43062 times
Last edited by SimonMatthews on Wed Jan 10, 2024 1:41 am, edited 1 time in total.
-
SimonMatthews
- Posts: 3
- Joined: Wed Dec 13, 2023 12:15 am
Re: Code signing failing -- SOLVED!
I finally solved the problem.
To use the Sectigo certificate, I needed to install some intermediate certificates.
The error message about an expired certificate was entirely wrong and, in my opinion, a bug in the signing tools. I don't know if this bad error message comes directly from SignTool.exe or elsewhere.
To use the Sectigo certificate, I needed to install some intermediate certificates.
The error message about an expired certificate was entirely wrong and, in my opinion, a bug in the signing tools. I don't know if this bad error message comes directly from SignTool.exe or elsewhere.
Re: Code signing failing -- SOLVED!
Hello Simon,
Thank you very much for your followup on this and for sharing your solution with us!
I am glad to hear everything is working as expected now.
Regarding the error message, I think it is coming from signtool as that's what we're using for signing purposes.
Best regards,
Catalin
Thank you very much for your followup on this and for sharing your solution with us!
I am glad to hear everything is working as expected now.
Regarding the error message, I think it is coming from signtool as that's what we're using for signing purposes.
Best regards,
Catalin
Re: Code signing failing -- SOLVED!
I am having a similar issue. However, even though I have installed the Yubikey "MiniDriver", I do not get any option to select the eToken Cryptographic Provider in AI 22.5 Professional.
I'm not sure how to proceed with signing my installer. Has anyone looked at this in the past year (since the last post here)?
Please help.
I'm not sure how to proceed with signing my installer. Has anyone looked at this in the past year (since the last post here)?
Please help.
Re: Code signing failing -- SOLVED!
Hello Aj,
Apologies for the delayed reply on this, this post has somehow been overlooked by our team.
Are you still facing issues with this?
From what I remember, I have tested this with someone from our QA team (as they have the dongle) and it worked just fine (few months ago maybe).
Best regards,
Catalin
Apologies for the delayed reply on this, this post has somehow been overlooked by our team.
Are you still facing issues with this?
From what I remember, I have tested this with someone from our QA team (as they have the dongle) and it worked just fine (few months ago maybe).
Best regards,
Catalin