Free Installer InstallAware for Windows Installer Header Image Windows Installer without Rocket Science

  InstallAware Blog

   

How to Comply With Microsoft’s New Code Signing Policy Using InstallAware X3’s New Build Events

February 8th, 2016

In this tutorial we are going to show you how to make your installer packages conform with Microsoft’s new code signing policy. The “Windows Enforcement of Authenticode Code Signing and Timestamping” is effective as of January 1, 2016. This new policy basically mandates the deprecation of SHA-1 code signing certificates, time stamps, and file hashes for Code Signing. The new Microsoft Policy involves SHA-2 code signing certificates, time stamps, and file hashes as part of the updated policy:

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Fortunately this can be easily achieved following the few steps described with this tutorial. This is entirely based on the use of the new “Build Events” feature available with InstallAware X3.

The “Build Events” feature makes it possible to run any third party process as an integral part of a build process. A “Process” is any executable and may be invoked during the various stages of a build that InstallAware follows while packaging your apps.

In this tutorial, we will not be boring you with the details of the new Code Signing Policy. If you are interested in resolving the overt contradictions in the Microsoft documentation and fancy that sort of a wild goose chase, please enjoy the official Microsoft documentation linked above. Having suffered through the nitty gritty details at InstallAware HQ on your behalf, we will be sparing you this pain; and focus on just the steps necessary to comply with the new Code Signing Policy in order to let you to build trusted setup packages.

Let us start with an overview of the setup binaries produced by a build which need code signing. These are of course, the MSI and/or EXE binaries that comprise your setup files. Please note that if you are setting the NO_MSI compiler variable to TRUE – meaning that you are opting to build a pure Native Engine installation, without any Windows Installer (MSI) bloat – in that case, you may omit the steps for the MSI files below. Similarly, when you are building a pure Windows Installer target (no final EXE output), you may omit the steps for EXE files.

These are in summary the targets that need to comply with the new Code Signing Policy. We may now proceed to the implementation using InstallAware X3.

 

Requirements for This Tutorial

•     InstallAware version X3,

•     An SHA-2 code signing certificate,

•     A recent version of the Microsoft SignTool.exe that supports double signing. This tool is included with the Windows 8 SDK, Windows 8.1 SDK and Windows 10 SDK.

Once the SDK is installed, the SignTool.exe binary is generally found inside one of the following directories:

  • C:\Program Files (x86)\Windows Kits\8.0\bin\x86
  • C:\Program Files (x86)\Windows Kits\8.1\bin\x86
  • C:\Program Files (x86)\Windows Kits\10\bin\x86

 

Getting Started

Make sure the “Sign the package with Authenticode” checkbox in the Build | Authenticode page of your Project Options window is UNCHECKED. This step is necessary since we are replacing the default code signing process in InstallAware X3.

 

Defining Build Events to Sign an Uncompressed Build Layout

With this kind of build its necessary to apply the digital signature to the following files which are part of an uncompressed build layout for a setup package (such as, for a DVD/Blu-Ray distribution target). These are stored at build time under your project’s “uncompressed” output folder.

•     <PackageName>.exe

•     <PackageName>.msi

•     \data\<PackageName>.msi

1. In the Project Options dialog (“CTRL+SHIFT+F11”) select the “Post-Build” event node listed within the left tree pane control. Then in the Commands field enter the following command line sequence.

- “#IADIR#\authenticode\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Uncompressed\#TITLE#.msi”

- “#IADIR#\authenticode\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Uncompressed\Data\#TITLE#.msi”

- “C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Uncompressed\#TITLE#.exe”

- “C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe” sign /f <SHA2_cert> /as /fd sha256 /tr <SHA256_timestamp_url> /td sha256 /p <cert_password> “#PROJDIR#\Release\Uncompressed\#TITLE#.exe”

*Notes:

a) Press CTRL+ENTER to start a new command line. Each new line above represents a new command line and a new process invocation.

b) Ensure to update paths to the folder where the SignTool.exe binary is actually located on your system. In the above example, a typical path for the Windows 10 SDK on a 64-bit operating system has been used.

c) You will need to replace these tokens with your actual desired targets:

<SHA256_timestamp_url>: Replace with the actual time stamp server URL to use, for example http://timestamp.comodoca.com/rfc3161.

<cert_password>: Replace with your code signing certificate password (we better not know what that is, right?)

<SHA2_cert>: Enter the full path to your code signing certificate file here. Ensure to enclose the entire path string inside double quotes (“”) if the path to your code signing certificate contains spaces. Those adventurous among you may also opt to use the short path name for the certificate, if you are averse to using paths with spaces in them (even when they have been double-quoted).

Notice how, in the above command line sequence, we have refrained from hard-coding any folder paths and file names, insofar as your project folder and setup name is concerned. The examples above make use of the pre-defined compiler variables #PROJECTDIR#, #IADIR# and #TITLE#, instead of hard-coding folder paths and file names. These compiler variables are automatically resolved to their final values during the build process. This helps you use the exact same commands across all of your setup projects; without having to engage in the laborious task of updating paths and file names across projects, and/or having to update them when you actually move project folders around/change setup names.

2. In the Post-Build event settings, you may want to check the “Abort build on error (if any command returns non-zero result)” checkbox. Checking this box fails the setup build process when any invoked application returns a non-zero error code as its exit code, which is typically how an error condition is indicated on the command line. You may also want to keep this box unchecked, if you don’t care to break your build process when an intermittent failure occurs with a code signing time stamp server (or if it is not otherwise critical for your code signing to succeed).

3. Finally in the Project Options dialog, select the OK button to confirm the Post-Build event settings. Then rebuild the project. You’re done!


Defining Build Events to Sign a Compressed, Web, or Patch Build Layout

With all other build targets, including a Single Compressed File (monolithic) installer, a Web Build (main setup file plus optional web media block files), or a Patch Build; we need to define either a Post-Compress Event (if your final build target is an EXE file) or a Post-Wrap event (if your final build target is an MSI file).

Note that you could also “nest” your signatures all the way in, if you wanted to. Since any compressed setup is ultimately composed of files found in an uncompressed layout (which are then packaged into a single [or a few, in the case of a web build’s web media block files] file), there’s no harm in signing all those source materials as well.

While Windows will obviously not display any additional elevation requests once you have already elevated the main entry point of your setup package, you may want to use this trick of nested package signing for reasons of improving your chances of preventing false positives with anti-virus software. Anti-viruses have indeed become a cure worse from the disease, often hindering legitimate setups from installation. It may help your installation success rates to sign your packages from top to bottom (although, to set your expectations right; some anti-virus vendors have gotten so aggressive, that your mileage may vary even with everything signed inside out).

So if you want to do the nesting, copy over/retain the Post-Build event instructions for Uncompressed Builds to your compressed build types as well. Of course, remember to replace the string “uncompressed” with the string “single”, “web”, or “patch” based on your new distribution target.

Again while nesting, when building a single MSI file target, retain the Post-Compress event instructions (normally, you would only need to implement the Post-Wrap event instructions).

 

So here are the Post-Compress build events for a Single File Compressed Build:

- “C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Single\#TITLE#.exe”

- “C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe” sign /f <SHA2_cert> /as /fd sha256 /tr <SHA256_timestamp_url> /td sha256 /p <cert_password> “#PROJDIR#\Release\Single\#TITLE#.exe”

Here are the Post-Compress build events for a Web Compressed Build:

- “C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Web\#TITLE#.exe”

- “C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe” sign /f <SHA2_cert> /as /fd sha256 /tr <SHA256_timestamp_url> /td sha256 /p <cert_password> “#PROJDIR#\Release\Web\#TITLE#.exe”

And finally, the Post-Compress build events for a Patch:

- “C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Patch\#TITLE#.exe”

- “C:\Program Files (x86)\Windows Kits\10\bin\x86\SignTool.exe” sign /f <SHA2_cert> /as /fd sha256 /tr <SHA256_timestamp_url> /td sha256 /p <cert_password> “#PROJDIR#\Release\Patch\#TITLE#.exe”

 

Now, if you are producing an MSI output instead of an EXE output, use the following build events instead. Of course, if you will be doing nested signing, then remember to retain the above Post-Compress build events as well.

For a Single File MSI Build, use these Post-Wrap build events:

- “#IADIR#\authenticode\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Single\#TITLE#.msi”

For a Web MSI Build, use these Post-Wrap build events:

- “#IADIR#\authenticode\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Web\#TITLE#.msi”

For a Patch MSI Build, use these Post-Wrap build events:

- “#IADIR#\authenticode\SignTool.exe” sign /f <SHA2_cert> /t <SHA1_timestamp_url> /p <cert_password> “#PROJDIR#\Release\Patch\#TITLE#.msi”

 

Conclusion

 

That’s it!

You’ve seen how easy and versatile it can be to use InstallAware X3’s new Build Events to extend the default build process in the IDE and across the entire InstallAware build toolchain.

Please feel free to use this mechanism to do anything special you like when building your own installers. Have fun!

 

Francesco Toscano
Your InstallAware™ Support Team.

InstallAware X3 Update Now Shipping

January 11th, 2016

We’ve just released InstallAware X3 Update, a free upgrade for all existing customers of InstallAware X3:

New Runtimes: Including .NET FX 4.6.1, VC++ 2015 Update 1, and SQL Express 2012 with Service Pack 3.

50% Better Compression: SQL Express 2012 with Service Pack 3 goes down to half of its already Microsoft-compressed size.

Updated Visual Studio Add-In: Automatically leverage our extreme 64 bit compression in all your Visual Studio solutions.

Updated IDE: Now compatible with very large font scaling (up to 300% or more), and Windows 10 debugging support.

Tens of Fixes: Per our policy of zero-known-issues, InstallAware X3 Update fixes all your reported issues.

Update: An Exciting Scene from the New Star Wars Film

December 18th, 2015

Scene wasn’t in this episode. Probably in one of the other ones, then :)

InstallAware Wins Visual Studio SimShip Award

December 14th, 2015

Marking our fourth award in a row, Microsoft have recognized InstallAware‘s contributions to the Windows 10 eco-system with a Visual Studio Sim-Ship Award!

As prepare to welcome 2016 in excitement of the coming holidays, we thought we’d put together a small holiday gift for you, our loyal developers – without whom we wouldn’t have lasted 11 years, save piling award atop award!

Free ZIPmagic File Compression:

1) ZIPmagic is our favorite tool to work with the 7ZIP Web Media Block files created by InstallAware.

2) It is also the best all around compression app for Windows, with patent pending Windows disk compression which they invented.

3) Take $100 worth file compression functionality, including Outlook integration, WinZip compatible ZIPX/JPEG compression, and WinRAR compatible RAR5 support; for free with ZIPmagic InstallAware edition:

http://www.installaware.com/zipmagic.msi (leave the serial field empty when installing)

Choose the software installer used by timeless software products such as Microsoft Office, Crytek Crysis, and Borland Delphi – brought to you by the largest independent software installation toolkit vendor.

From all of us at InstallAware, thanks once again for all your support over the years, and Happy Holidays!

InstallAware Wins Two ComponentSource Awards

December 2nd, 2015

2015 has been a year of phenomenal success for InstallAware – so much that we’re having trouble keeping track of all awards that are coming in! We just won two more awards from our favorite reseller, ComponentSource:

1) Top 100 Product Award
2) Top 50 Publisher Award

We’re thrilled to be working with our friends at ComponentSource in bringing you the best installer technology on the Microsoft(R) Windows(TM) platform today:

o Platform Pillars: Support Windows XP 32-bit (Original Release) through Windows 10 Build 1511 64-bit (Threshold 2) from a single setup package.

o Sidestep MS-Store: Pin your applications programmatically to the Windows 10 Start Menu Live Tiles, or the Windows 8.x Start Screen, or the Windows 7.x-8.x-10.x Taskbar, or the Windows 7.x-Vista-XP Start Menu.

o Perfect Provision: Guarantee that your setups are bullet-proof by running unattended, simultaneous tests on as many virtual machines as your hardware can handle.

o Agile Advancement: Create re-usable technology prerequisites with the Application Runtime wizard; fire Build Events based on pre and post build/compression/wrapping triggers; enjoy smart Find highlights in the IDE.

o The Team Topology: Microsoft Team Foundation Server and Microsoft Visual Studio integration enable global collaboration on setup projects.

o Flexible Funding: A floating license add-on lets you install infinite copies of InstallAware, as long as the usage is non-simultaneous. Studio and higher editions allow infinite build machines, even for simultaneous use!

o Aggresive Advance: InstallAware is the most frequently updated installer, among all commercial and open source “alternatives”.

Discover InstallAware today. You’ll be glad you did!

Windows 10 Build 1511 with InstallAware Zero-Day Support

November 15th, 2015

The first big update to Windows 10 is here, and InstallAware provides zero-day support for it – requiring absolutely no changes to any installations you have built and distributed out in the field.

InstallAware Studio X3 is not only more affordable. It is also far more capable than any other commercial or open source installer:

Windows 10 Build 1511 Zero-Day Support: Bypass the Windows Store and pin applications directly to the Start Menu Live Tiles or the Taskbar programmatically. You may have noticed popular apps like Firefox, which used to be able to pin themselves to the taskbar, recently lost this ability in Windows 10 Build 1511. That’s because only InstallAware can pin.

Runtime Wizard and Zero-Day Runtimes: Yes, we’ve built a decade long track-record of having zero-day support for new Microsoft technologies, including the latest .NET 4.6 and Visual C++ 14. As if that wasn’t good enough, we’ve also distilled our experience into a wizard that lets you create your very own zero-day technology prerequisites!

Microsoft Stack Integration: Visual Studio 2015 integration makes it one click to create an InstallAware setup or an App-V virtualized app. Team Foundation Server integration makes it one click to check-in and check-out projects from source control, empowering you to distribute your software integration efforts across a global workforce.

Break the Law of Entropy: Have you heard of the law of entropy in data compression? Data that has been compressed before cannot be recompressed. InstallAware seemingly breaks this law by recompressing data up to 50% better than Microsoft’s already-compressed sizes (ex: SQL Server Express 2014 SP1). Enjoy similar savings with your own application runtimes!

One-Click Upgrade: Whether you use InstallShield or NSIS, Wise or InnoSetup; you’ll find authoring a setup in InstallAware a breeze. Import EXE binaries or MSI databases (or if you have it, setup source code) into ready-to-build InstallAware projects, eliminating the barrier to upgrade and helping combat entrenchment in a particular vendor’s tookit.

InstallAware Wins Readers Choice Award

November 1st, 2015

The results are in! Microsoft Developer Community selected InstallAware as the Readers Choice Award Winner in the INSTALLATION, SETUP AND DEPLOYMENT TOOLS category. Thank you very much for helping make us the number one installer – we couldn’t have done this without you.

For the fourth time, Visual Studio Magazine readers have honored InstallAware as the best Visual Studio related setup programming tool. The Readers Choice survey is closely monitored. There is no ballot stuffing or vendor voting. Duplicate votes and ISP’s are removed. In sum, this result provides you with the best representation of the marketplace; best of breed tools.

The one and only InstallAware Studio X3 is unique in the following ways:

Pin to the Windows 10 Start Menu and Taskbar: Microsoft recently disabled programmatic access to the Windows 10 Taskbar. Microsoft had never allowed to pin to the new Windows 10 Start Menu either. InstallAware does both, bridging you into the most prime real estate on the Windows 10 Desktop. Just check a check-box in the “Create Shortcut” command!

Glass on Windows 10: InstallAware is the first to bring G L A S S to Windows 10. Use InstallAware‘s pre-built Glass theme, or create your own. Just rebuild existing setups without any source code changes to glassify them for Windows 10. Show off your own glass based setup splash screen, with the target OS’s Windows accent colors applied!

Pre-Flight Checks: Push your hardware to its limits with InstallAware. Run multiple simultaneous virtual machine tests on as many virtual machines as you want. Specify custom command line parameters and customize InstallAware‘s included unit testing scripts as the ultimate in pre-flight checks, with your own customizable roster.

50% Better Compression: Reduce Microsoft’s official SQL Server 2014 Express with Service Pack 1 installation into half of its already compressed size. Seemingly violating the law of entropy in data compression, InstallAware is unmatched the size and speed of the installers it creates, even outperforming the platform/OS vendor.

Seamless Upgrade: Whatever installation platform you use, you’ll find authoring a setup in InstallAware a breeze. Nonetheless, you can even import EXE binaries or source code into ready-to-build InstallAware projects, eliminating the barrier to upgrade and helping combat entrenchment in a particular vendor’s tookit.

An Exciting Scene from the New Star Wars Film

September 4th, 2015

The newly minted Jedi hero is running away from the bad guys and its raining laser fire on him.

He barely makes it to his spacecraft, only to find his weapon falling away from him.

As the craft ascends, he is desperate and stretching to pick up his weapon.

InstallAware X3 Benefits

August 9th, 2015

InstallAware X3 launched simultaneously with Windows 10 on July 29th. Our launch was a huge success. InstallAware X3‘s merits speak for themselves:

Automated Virtual Machine Testing: Run as many simultaneous tests as your hardware can handle on VMware and Hyper-V platforms. The default unit test checks for successful installation and removal of any existing InstallAware solution, without any modifications needed to your setup project! The unit test ships with its InstallAware source code so you can customize it per your requirements, for example to check for specific files, registry keys/values, system services, or any other target system variable. Test on troublesome VM snapshots and prove your setups are rock solid.

Programmatic Application Pinning: You don’t have to go through the cumbersome bureaucracy of the Windows Store approval process to get your app pinned to the new Windows 10 Live Tiles Start Menu. Pin as many apps as you want to this most prime piece of real estate on a Windows system – made possible only by InstallAware. We trust you to pin responsibly and respect end-user privacy, while giving you the tools to maximize exposure to your hard work.

EV Code Signing: Use the new Build Events for Extended Verification Code Signing Certificates. Build Events let you run any custom command line, including macro resolution for standard paths such as your project and IDE folders. Sign your setup and/or your application binaries. Detect signing failures and gracefully fail a setup build.

Visual Studio 2015: InstallAware‘s Visual Studio Add-In gives you one-click setup creation capabilities from any Visual Studio project, with automatic inclusion of the pre-requisite .NET and C++ frameworks needed by your solution.

Application Runtime Wizard: Got an odd runtime that’s not included? Build your own in just a few clicks, visually!

50% Better RE-Compression: Runtimes such as Microsoft SQL Server Express 2014 with Service Pack 1 compress 50% better with InstallAware – and that’s 50% better than the ALREADY compressed sizes of the runtimes, as built by Microsoft!

Thank you all very much for being a part of the success that is InstallAware. We could not have done it without you!

InstallAware X3 First with Automated Virtual Machine Testing

July 26th, 2015

New InstallAware X3, launching on Wednesday this week, is first to market with automated virtual machine unit testing, Windows 10 support, and a host of other improvements:

Automated Virtual Machine Testing:

Supports VMware Workstation, VMware vSphere, and Microsoft Hyper-V.
Connect to local VMs or VMs hosted in the cloud on any supported server.
Use the Project Manager to browse your entire VM library and start testing on any VM snapshot.
Run as many simultaneous tests as your underlying hardware can handle.
Use default unit tests, or build your own unit testing scripts to check for particular services, files, registry keys, etc.
See the status of ongoing tests, as well as succeeded/failed VM tests at a single glance.
Use project settings for installation and uninstallation command lines; as well as guest operating system target folders.

Windows 10, Visual Studio 2015 Eco-System Support:

First to support Windows 10.
Maximize application exposure by progammatically pinning your applications to the new Start Menu Live Tiles section, without going through the Windows Store.
Use the production runtimes for .NET 4.6, Visual C++ 14, and SQL Server 2014 with SP1.
Enjoy 50% size reductions on runtimes such as SQL Server 2014 – on top of Microsoft’s already compressed runtime sizes.
Instantly create setup projects from the Visual Studio 2015 IDE and build installer or App-V virtualized targets.

Application Runtime Wizard:

Distills InstallAware’s decades of experience building and optimizing application runtimes.
Point-and-click to create new technology framework installers. The wizard guides you in making the right choices.
Consume new application runtimes from additional InstallAware IDE instances and an unlimited number of setups.

Build Events:

Use pre and post triggers.
Triggers fire upon compilation, compression, and MSI wrapping stages.
Run an unlimited number of applications and optionally abort the build should any of them fail.

InstallAware X3 grows your software margins, maximizes your revenue, and delights your developers with its convenience and simplicity.

Enjoy simplified agile builds, reduced bandwidth costs, and eliminated R&D expenditures.

Grow your exposure and monetize your software with InstallAware X3.