Digital signing has unhelpful error messages
Posted 31 May 2017 - 20:04
When I attempt to sign my build, I receive the following errors for each of the files:
SigningHelper: error 0x80072ee2 while attempting to sign file
ISDEV: warning -1027: A warning occurred while signing <the file>. See the build log.
I'm signing the output files only, not the files in the package.
When I run the setup.exe, it does show the correct Verified Publisher, so it seems like the signing is working. Why all the errors then?
I can't find any info on the error code 0x80072ee2.
Posted 31 May 2017 - 20:37
On the output files, check the digital signature tab to make sure that the files are both signed and timestamped.
A sign operation consists of both operations. One is a signature but the other asserts when that signature was applied to the file. It prevents a file getting signed by an expired certificate or other such nefarious actions.
If the timestamp is not there, it would explain why the publisher was available and maybe the errors during the build. If absent, I believe the signature would become invalid once the validity period of the certificate expires.
Posted 31 May 2017 - 20:53
Ah yes, that is the case. The timestamp column says "not available." So is this an error on InstallShield's part?
I see in the following thread that there were some issues with timestamping that were supposed to be resolved in 2016 SP2. I just upgraded to SP2 and I'm still having the same issue.
Posted 31 May 2017 - 21:18
I know that post. I started it
It is possible that the timestamp server was unreachable. Try to reproduce the error first. 2016 SP2 uses these server settings for timestamping:
Make sure it is reachable.
Then, I would attempt to sign a file on the command line to make sure it's Installshield.
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /v /fd sha256 /f <Path to pfx file> /p <password for PFX file> /tr "http://sha256timesta...a256/timestamp"<Path of file to sign>
If you have a different Windows SDK installed you can use that version of signtool.
Also note the /fd sha256 option. My certificate has a signature hash algorithm that uses SHA 256. if yours is different, this option will need to change. Some older SDKs don't support SHA 256 or other more modern hashes so you may need to have at least 7.0A installed to try this.
If this works, review the Installshield settings to make sure your certificate hash algorithm matches what you set in Installshield signing options. (release view)
Posted 31 May 2017 - 21:52
I used signtool as you suggested, and it successfully created a timestamp.
Here are my settings in the release view:
Digital Certificate Information
<path to .pfx>, Digest Selection: SHA-256
Sign Output Files
Setup.exe and Windows Installer package
<our product name>
Sign Files in Package
Posted 31 May 2017 - 22:51
Though I do not have any other suggestions for you, this is also apparently my problem as well with a different warning message:
SigningHelper: error 0x80072f78 while attempting to sign file
ISDEV : warning -1027: A warning occurred while signing msi file. See the build log for details.
Posted 01 June 2017 - 21:43
The issue for me was that my settings.xml file contained a timestamp server that had recently been discontinued.
The file should have this setting in it: <DigitalSignature Timestamp="http://timestamp.ver...timstamp.dll"/>
The file is located in: InstallShield\2016 SAB\Support\0409
Modify this for your particular IS version of course. Hope this is helpful.
Posted 06 June 2017 - 16:48 Best Answer
For me, the issue was that my antivirus program was interfering. After disabling the AV, it worked.