Digital signing fails
Posted 19 April 2017 - 20:40
I'm not sure where to put this as it applies to all Installshield project types that include signing its output files.
Installshield uses a Timestamp server http://timestamp.geotrust.com/tsa. This server is now offline (replaced)
Symantec provides a replacement but there is no obvious way to tell Installshield how to use this new server in the UI.
You must make the change to a specific Installshield instance you have on your system. Both developer and SAB.
Change your settings.xml file located here: C:\Program Files (x86)\InstallShield\2016\Support\0409
Search for http://timestamp.geotrust.com/tsa
It will show up in a line that looks like this: <DigitalSignature Timestamp="http://timestamp.geo...rust.com/tsa"/>
Change the server location to one on the Symantec page. I was unable to get the new legacy server to work. I therefore needed to use http://sha256timesta...ha256/timestamp
Note that this server uses a new CA so this may affect how your install runs. In disconnected environments, if this CA is missing, the installation will fail. In connected environments, if the CA is missing, Windows 7 and newer will as Windows Update for the CA needed. The install process may take a bit longer the first time but any subsequent installation will take the normal amount of time.
Posted 21 April 2017 - 19:49
I asked Flexera Support about this problem and here's their answer:
By default, InstallShield should be using http://timestamp.ver...ts/timstamp.dll for the timestamp server. However, the issue with http://timestamp.geotrust.com/tsa going offline and problems with using the new SHA-1 with RFC 3161 service is a known issue, and should be resolved in the next Service Pack release of InstallShield. We currently do not have an estimated time for when this will be released
Posted 21 April 2017 - 19:53
Fortunately for me, My signing certificate and the new SHA256 timestamp server both use the same Symantec CA Root. There were no negative effects to make the switch for me. Thanks for following up with support.