I did figure out how to sign setup.exe.
If I right-click on setup.exe and select properties, there is a "Digital Signatures" tab, and it says "This digital signature is OK." If I binary-edit setup.exe and change one bit, the above check says "This digital signature is not valid."
So far, so good.
However, there are two things I don't get:
1) When I run the setup, whether the signature is valid or invalid (i.e., whether or not I've twiddled a bit), I get no indication that the signature was checked. The setup just runs like it did befire I added the signature.
2) When I add the private key password to the project, the build fails. Without the password in the project, the build stops and waits till I type the password before it signs. I would much rather not have to watch the build and type in a password every time.
Any help?
This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Digital Signature Woes
Started by
PeterBoucher
, Jan 26 2005 16:35
4 replies to this topic
PeterBoucher
-
- Members
- 17 posts
Posted 29 January 2005 - 00:05
My code is signed correctly if I don't enter the PVK password in the wizard. The certificate is displayed only when you launch the setup from an untrusted server.
I still can't get the signing to work if I enter the PVK password in the wizard, so I have to type it in during the build, once for each file signed.
I can't find any documentation that says that signcode.exe supports passing the password in on the command line. The docs all say that if your PVK file is password-protected, then signcode must prompt for the password each time a file is signed.
Did installshield or anyone else ever test that password-in-the-wizard feature and have it work?
I still can't get the signing to work if I enter the PVK password in the wizard, so I have to type it in during the build, once for each file signed.
I can't find any documentation that says that signcode.exe supports passing the password in on the command line. The docs all say that if your PVK file is password-protected, then signcode must prompt for the password each time a file is signed.
Did installshield or anyone else ever test that password-in-the-wizard feature and have it work?
oceanpearl
-
- Members
- 10 posts
Posted 15 March 2005 - 01:30
->set-up a machine for password-less signing
1) pvkimprt.exe -pfx mycredentials.spc myprivatekey.pvk
'- you get prompted for the privatekey password:xxxxx
'- click next
'- click on "Yes, export the private key"
'- Select format "Personal Infrmation Exchange '- PKCS#12 (.PFX)"
'- tick on Include all certificates in the certification path
'- tick on Enable strong protection
'- click next
'- enter private key passowrd:xxxxx, then confirm password
'- click next
'- select the exported filename (anyfilename.pfx), click next...
'- click on finish ->"The export was successful"
-> add the information from the pfx file to the PC's Personal Store
2) start internet explorer
'- Click on Tools|Internet Options|Content Tab|Certificates...
'- go to Personal Store, click on Import...
'- Certificate Import Wizard starts, click on Next...
'- Specify to import the newly created *.pfx file Browse... , Click Next...
'- type the password, disable "strong private key protection", disable
"Mark this key as exportable".
'- Place the new certificate to the Personal Certificate store...Next...
'- Click on Finish... -> "The import was successful"
how to verify the new certificate:
'- highlight "XXXXXX" from the Personal Store, click on View...
'- it should display something like:
.)Ensures software came from software publisher
.)Protects software from alteration after publication
.)2.16.840.1.113733.1.7.23.3
also it should display the validity information of the certificate
after #1 and #2 above, the PC is ready for password-less signing of
binary files
3) syntax to call signcode.exe from perl script to sign files
system "signcode -cn \"XXXXXX\" -t http://timestamp.ver...ts/timstamp.dll -tr 5 filename.ext";
4)'- to verify the signed file use the chktrust.exe utlity:
system "chktrust -v filename.ext";
make sure it is signed for XXXXX and timestamped as appropriate.
1) pvkimprt.exe -pfx mycredentials.spc myprivatekey.pvk
'- you get prompted for the privatekey password:xxxxx
'- click next
'- click on "Yes, export the private key"
'- Select format "Personal Infrmation Exchange '- PKCS#12 (.PFX)"
'- tick on Include all certificates in the certification path
'- tick on Enable strong protection
'- click next
'- enter private key passowrd:xxxxx, then confirm password
'- click next
'- select the exported filename (anyfilename.pfx), click next...
'- click on finish ->"The export was successful"
-> add the information from the pfx file to the PC's Personal Store
2) start internet explorer
'- Click on Tools|Internet Options|Content Tab|Certificates...
'- go to Personal Store, click on Import...
'- Certificate Import Wizard starts, click on Next...
'- Specify to import the newly created *.pfx file Browse... , Click Next...
'- type the password, disable "strong private key protection", disable
"Mark this key as exportable".
'- Place the new certificate to the Personal Certificate store...Next...
'- Click on Finish... -> "The import was successful"
how to verify the new certificate:
'- highlight "XXXXXX" from the Personal Store, click on View...
'- it should display something like:
.)Ensures software came from software publisher
.)Protects software from alteration after publication
.)2.16.840.1.113733.1.7.23.3
also it should display the validity information of the certificate
after #1 and #2 above, the PC is ready for password-less signing of
binary files
3) syntax to call signcode.exe from perl script to sign files
system "signcode -cn \"XXXXXX\" -t http://timestamp.ver...ts/timstamp.dll -tr 5 filename.ext";
4)'- to verify the signed file use the chktrust.exe utlity:
system "chktrust -v filename.ext";
make sure it is signed for XXXXX and timestamped as appropriate.
oceanpearl
-
- Members
- 10 posts
Posted 15 March 2005 - 01:33
I sort of written this procedure down after I got the same problems as you had, I can't monitor our nightly build machine and input the password everytime the dialog box appears!