7 replies to this topic

[installer96]

When I attempt to sign my build, I receive the following errors for each of the files:

 

SigningHelper: error 0x80072ee2 while attempting to sign file

ISDEV: warning -1027: A warning occurred while signing <the file>. See the build log.

 

I'm signing the output files only, not the files in the package.

When I run the setup.exe, it does show the correct Verified Publisher, so it seems like the signing is working. Why all the errors then?

 

I can't find any info on the error code 0x80072ee2.

 

[deramor]

On the output files, check the digital signature tab to make sure that the files are both signed and timestamped.

A sign operation consists of both operations.  One is a signature but the other asserts when that signature was applied to the file.  It prevents a file getting signed by an expired certificate or other such nefarious actions. 

 

If the timestamp is not there, it would explain why the publisher was available and maybe the errors during the build.  If absent, I believe the signature would become invalid once the validity period of the certificate expires.

[installer96]

Ah yes, that is the case. The timestamp column says "not available." So is this an error on InstallShield's part?

 

I see in the following thread that there were some issues with timestamping that were supposed to be resolved in 2016 SP2. I just upgraded to SP2 and I'm still having the same issue.

http://forum.install...showtopic=22021

[deramor]

I know that post.  I started it  

 

It is possible that the timestamp server was unreachable.  Try to reproduce the error first.  2016 SP2 uses these server settings for timestamping:

        <DigitalSignature Timestamp="http://sha256timesta...56/timestamp"/>
        <DigitalSignature TimestampRFC3161="http://sha256timesta...56/timestamp"/>

Make sure it is reachable.

 

Then, I would attempt to sign a file on the command line to make sure it's Installshield.

 

For example:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /v /fd sha256 /f <Path to pfx file> /p <password for PFX file> /tr "http://sha256timesta...a256/timestamp"<Path of file to sign>

 

If you have a different Windows SDK installed you can use that version of signtool.

Also note the /fd sha256 option.  My certificate has a signature hash algorithm that uses SHA 256.  if yours is different, this option will need to change.  Some older SDKs don't support SHA 256 or other more modern hashes so you may need to have at least 7.0A installed to try this.

 

If this works, review the Installshield settings to make sure your certificate hash algorithm matches what you set in Installshield signing options. (release view)

[installer96]

I used signtool as you suggested, and it successfully created a timestamp.

 

Here are my settings in the release view:

 

Certificate URL

http://<our website>

 

Digital Certificate Information

<path to .pfx>, Digest Selection: SHA-256

 

Certificate Password

<certificate password>

 

Sign Output Files

Setup.exe and Windows Installer package

 

Signature Description

<our product name>

 

Sign Files in Package

No

[deramor]

Though I do not have any other suggestions for you, this is also apparently my problem as well with a different warning message:

 

SigningHelper: error 0x80072f78 while attempting to sign file
ISDEV : warning -1027: A warning occurred while signing msi file. See the build log for details.
 

[deramor]

The issue for me was that my settings.xml file contained a timestamp server that had recently been discontinued.

 

The file should have this setting in it: <DigitalSignature Timestamp="http://timestamp.ver...timstamp.dll"/>

 

The file is located in: InstallShield\2016 SAB\Support\0409

Modify this for your particular IS version of course.  Hope this is helpful.

[installer96]

For me, the issue was that my antivirus program was interfering. After disabling the AV, it worked.