Frequently Asked Questions about Digital Signature

What is a digital signature?

A digital signature is used to help authenticate the identity of the creator of digital information. Digital signatures are based on digital certificates. Digital certificates are verifiers of identity issued by a trusted third party, which is known as a certification authority (CA). Digital signatures help establish the following authentication measures:

  • Authenticity
  • Integrity
  • Non-repudiation

How can I digitally sign my application?

In the Digital Signature page you can sign your application. By digitally signing your installers and products in Advanced Installer, you will increase your user's confidence in you and your company, giving them peace of mind about your software.

Why the SHA-2 digital signature is not recognized?

This may happen on a machine with OS lower than Windows 7 -> XP/Vista and if the application is signed using a SHA-2 digital signature. This is happening because the SHA-2 digital signature is recognized only from Windows 7.

Why the digital signature is not recognized by the SmartScreen or by the Internet Explorer?

Starting with January 1st, 2016 Microsoft is implementing a mandatory update of the Digital Signature system from SHA-1 to SHA-2 in order to deal with the decreasing security of the SHA-1 digital signatures.

All applications signed with SHA-1 certificates will still be accepted until January 1st, 2017. The UAC prompt will still show the correct vendor information but the browser, i.e. Internet Explorer, will warn the users about an invalid signature. Also, the Windows SmartScreen will not recognize the SHA-1 signature and try to prevent the users from running it.

What timestamp service URL should I choose when signing the application with a SHA-2 certificate?

Since not all CA vendors support SHA-2 timestamp for the SHA-2 digital signature you can still use a SHA-1 timestamp. However, all applications signed with a SHA-2 signature and a SHA-1 timestamp will be accepted until January 1st, 2017. After this date, you must use a SHA-2 timestamp for the SHA-2 signature.

Why do I get a random name for a digitally signed package?

The information displayed on the security dialog (UAC prompt) is collected from the digital signature of the package. In this particular case if you set the Description field from the Digital Signature Page it will display the correct package name.

Why does the SmartScreen prevent a signed setup from running and report it as an unrecognized application?

It seems that SmartScreen Protection shows the above message when you try to run a newly released program or an application that has not yet established a reputation. Reputation is established by SmartScreen® service intelligence algorithms based on how an application is used by Windows and Internet Explorer users.

For details, check the passing the smart screen on Win8 when install a signed application? thread that debates this subject.

This can also happen if the setup package is signed with a SHA1-based certificate and timestamped after January 1st, 2016.

Why does the "Unknown Publisher" message appear during the install of a digitally signed package?

This problem occurs only if the SignTool.exe from Windows SDK v.7.0 or later is used to sign the package and the "File From Disk" option is enabled in Advanced Installer's Digital Signature Page. The package will appear as signed, but upon a closer inspection the certificate used in the signing process will be reported as invalid. Because of this, the "Unknown Publisher" message will be displayed on Windows Vista or above, during installation.

As a solution, Microsoft recommends importing the certificate in the system store and automatically use it from here everytime a package is being digitally signed, instead of manually selecting the certificate file. In this case, the option "Automatically get certificate from system store" should be used in Advanced Installer's Digital Signature Page. Another solution, not recommended by Microsoft, is to use the SignTool.exe from an older version of Windows SDK along with the "File From Disk" option enabled in Advanced Installer Digital Signature Page.

Why does the "Unknown Publisher" message appear during the uninstall of a digitally signed package?

When a package is installed, Windows caches the MSI by placing it in the Windows\installer folder. During this process, all the unnecessary information (including the digital signature) is removed in order to decrease the size of the file. When an uninstall is launched from "Add or Remove programs" or through the Uninstall shortcut, Windows Installer uses the cached MSI. Since this file doesn't have a digital signature, the "Unknown Publisher" message will be shown. A solution for this is to make sure the user can uninstall the package only by launching the original file.

Why do I get the "Unmatching digital signature between EXE bootstraper and MSI database" message?

This error occurs when the signature from the .CAB or .MSI does not coincide with the one from the .EXE. This is an authentication security check done automatically by the .EXE boostrapper when the Enhanced User Interface is enabled.

ImportantIf you need to sign the installation package outside Advanced Installer then you can select the EXE setup with resources next to it as a package type and sign both .MSI and .EXE.

Why do I get the "Disk1.cab has an invalid digital signature" error during installation?

There are several reasons why you may get this error:

  • When the target machine has no internet connection and Windows Installer fails to verify online the digital signature. Since Windows installation is unable to contact the certificate provider that can verify the installer’s security certificate, it will prompt with that error during installation. This error sometimes disappears if you switch to using a different time stamp URL.
  • When is not be possible to compute the digital signature. This usually happens when you are using a SHA256 certificate or a SHA256 signature algorithm as a digest algorithm at signing time. Setup packages signed with a SHA256 certificate or digest algorithm will not have their digital signature recognized on XP and Vista operating systems. There is an official Windows issue regarding the computation failure of SHA256 certificates on Vista operating systems. So, if your setup package still targets Windows XP and Windows Vista operating systems it is recommended to disable the option "Sign only for modern operating system (Windows 7 or newer)" from Digital Signature Page.
  • When the CAB file has a large size. On Windows XP and Windows Server 2003 there is an operating system bug which consists in the operating system inability to compute the digital signature of the large installation files. So, if your setup package still targets Windows XP and Windows Server 2003 operating systems, as a workaround you can package your installation files into multiple CAB files of a smaller size (e.g. 64 MB) by using our Multiple volumes option.

Why the "Are you sure you want to cancel installation" message is thrown after clicking the [ Install ] button?

When you build an EXE setup package with resources inside our EXE bootstrapper checks at install time his signature and its embedded MSI signature. If there is a signature mismatch between the EXE and its embedded MSI file or the digital signature cannot be computed, then the above error will be spawned during installation after the [Install] button is pressed.

The signature mismatch may appear when the EXE setup package is signed outside of Advanced Installer. Since the MSI is embedded in the EXE, only the EXE will be signed and, therefore the MSI will remain unsigned. This will generate the conflict at install time.

Also, there are situations when may not be possible to compute the digital signature. This usually happens when you are using a SHA256 certificate or a SHA256 signature algorithm as a digest algorithm at signing time. Setup packages signed with a SHA256 certificate or digest algorithm will not have their digital signature recognized on XP and Vista operating systems and, thus the installation will fail. There is an official Windows issue regarding the computation failure of SHA256 certificates on Vista operating systems. So, if your setup package still targets Windows XP and Windows Vista operating systems it is recommended to disable the option "Sign only for modern operating system (Windows 7 or newer)" from Digital Signature Page.

Why does the installation exit without any notification after clicking the [ Install ] button?

Starting with Advanced Installer 13.0 if you have Enhanced UI enabled and you built an EXE setup type without signing it from the Digital Signature Page, the installation can end right after you click on [ Install ] button without any prompt or error dialog. This is the case of many developers that build the EXE installer without having access to the digital certificate. Then, when someone signs the EXE manually outside the Advanced Installer project, the MSI inside doesn't get signed. Basically, when launching a signed EXE with an unsigned MSI inside it, this behavior occurs.

The workaround is to use any (dummy/test) certificate to sign the EXE from the Advanced Installer project at build time. This will also sign the MSI inside it and once signing the EXE with the correct signature afterwards, the MSI dummy signature will be kept. With both EXE and MSI inside it signed, you won't get this behavior anymore.

Why do I get the "An attempt was made to load a program with an incorrect format." error message when building a signed package?

This may happen when creating a test installation package and adding an empty file (its size is 0 KB) in the test project. The build error should be fixed if the empty file is removed from the project and a valid one is added.

Why do I get the -2147467259/0x80004005 SignTool error at build time?

This error appears when you're trying to add an invalid PE file(i.e. EXE, DLL, etc.) to your package, and the binary has a broken certificate. Meaning the executable considers it exists but in reality is either missing or corrupted. The SignTool won't allow you to add an executable with a broken signature. You can try to fix it by following the procedure shown by Thomas Olsen in his replay to the SignTool Error: An unexpected internal error has occurred. (-2147467259/0x80004005) post.

Why do I get the 0x800700C1 SignTool error at build time?

This error happened because one or more of your binary files has already been signed and has an invalid digital signature. The SignTool cannot resign a file, so you must first remove its previous signature before using the tool. An excellent way to do this is presented by Martin Kunc in his blog post SignTool.exe returned error 0x800700C1.

Why signing fails with no error: "The digital signing of the file failed. Error message: "?

This can happen when using "SignTool.exe" to sign the package if you only selected the "Windows SDK Signing Tools for Desktop Apps" feature when installing the Windows 10 SDK. The resolution is to also install the "Windows SDK for UWP Managed Apps" feature.

You can also workaround this by using Advanced Installer's own "DigiSign.exe" internal signing tool to sign the package.

How cam I use my own signing tool to sign the files before being packed (DLLs, EXEs), and then installer?

In order to achive this you can use the build events support. To sign the files before being packed, a pre-build event is required.

To sign the result .MSI package a post-build event is required. If the result setup package is an .EXE setup package, two post-build events are required:

  • Use a post-build event to sign the MSI package and the CAB files. Also, make sure that you enable the "Execute this before EXE packing" option from the edit events dialog;
  • Use another post-build event to sing the .EXE setup package.