Double code signing => Code signing failed

mihai · Postby **mihai** » Tue May 10, 2016 8:10 am

Hello,

I am trying to code sign the setup files and the resulting MSI using a certificate I have generated myself for testing purposes. However, the building fails with the following, on the very first file it tries to sign:

[...]
Built plug-in action Call DLL Function
Code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Double code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Double code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Double code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Error during build: Code signing failed!

That file - a .NET assembly I am compiling myself - is not signed in the source directory, and if I am fast enough to backup the temporary folder above I can see that it gets signed properly ("Digital Signatures" tab in the file properties), using sha1.

Why is it trying to double sign it? Also, why three attempts?

Note: I am using X4.

Thanks,
-Mihai

Postby **FrancescoT** » Tue May 10, 2016 1:37 pm

Dear Mihai,

InstallAware full complies with the "new Microsoft Windows enforcement of authenticode code signing and timestamping". Due of this you must use a SHA-2 code signing certificate.
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Why is it trying to double sign it? Also, why three attempts?

I suggest you to have a look at the above link which describes the details of the new code signing enforcement. Anyway what you are reporting happens because IA tries to double sign your file (SHA-1 + SHA-2 signatures - as required by the new signing policy) but it fails due the code signing certificate used.

Hope this helps you.

Regards

mihai · Postby **mihai** » Tue May 10, 2016 2:54 pm

Thanks Francesco, I'll give it a try and report back.
-Mihai

mihai · Postby **mihai** » Wed May 11, 2016 4:26 am

Hi Francesco,

Anyway what you are reporting happens because IA tries to double sign your file (SHA-1 + SHA-2 signatures - as required by the new signing policy) but it fails due the code signing certificate used.

Actually my certificate is already SHA-2:

Signature algorithm: sha256RSA
Signature hash algorithm: sha256
Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3)
Thumbprint algorithm: sha1

And I can manually dual-sign the assembly just fine with:

Code: Select all

signtool.exe sign /f certificate.pfx /p password /t http://timestamp.comodoca.com/authenticode /v SomeAssemblyName.dll
signtool.exe sign /fd SHA256 /as /f certificate.pfx /p password /tr http://timestamp.comodoca.com/authenticode /v /td SHA256 SomeAssemblyName.dll

and then the "Digital Signatures" tab in the file properties shows both sha1 & sha256.

What is different when IA tries to sign it?

Thanks,
-Mihai

Postby **FrancescoT** » Wed May 11, 2016 12:15 pm

Dear Mihai,

maybe it's just due the Timestamp URL.
I Always use "http://timestamp.comodoca.com/rfc3161" when signing manually (SHA-1 + SHA-2);

> signtool.exe" sign /f "certificate.pfx" /t http://timestamp.comodoca.com/rfc316 /p xxx "SomeAssemblyName.dll"
then;
> signtool.exe sign /f "certificate.pfx" /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /p xxx "SomeAssemblyName.dll"

The same Timestamp URL ("http://timestamp.comodoca.com/rfc3161") is automatically filled in the Authenticode settings in IA (you may change it anyway).

It's looks strange to me that worked using "http://timestamp.comodoca.com/authenticode" when applying the SHA-2 hash. According to Comodo Knowledgebase, "Authenticode" timestamping is used by older versions of SignTool (using the "/t" parameter).
https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server

Which is the OS you used to install IA?

Regards

mihai · Postby **mihai** » Thu May 12, 2016 7:34 am

Hi Francesco,

maybe it's just due the Timestamp URL

That was it, thanks! It was "http://timestamp.verisign.com/scripts/timstamp.dll" in my case (propagated from IA7?), and modifying it to "http://timestamp.comodoca.com/rfc3161" did the trick.

However, I now have two problems left:

The MSI is only sha1 signed, while the EXE is fine:
Code: Select all
Prepared SFX data Created SFX file Cleaned up Code signing: SetupFileName.exe Double code signing: SetupFileName.exe Producing MSI output... Code signing: SetupFileName.msi
Any idea why?
I used to produce the MSI in two steps, creating an EXE with miabuild.exe and then the MSI with pgplwiz.exe. But that way the MSI does not get signed (unless maybe I sign it myself manually), so I have modified the MPR project file to produce the MSI directly. However, where in miabuild.exe do I put the command line parameters to be passed to the MSI install (i.e. similar to the second parameter for pgplwiz.exe)? I have some custom ones that I must set in

Thanks,
-Mihai

Postby **FrancescoT** » Thu May 12, 2016 10:29 am

Dear Mihai,

the MSI file cannot be double signed and unfortunately this is a limitation of the MSI format itself.
This is also reported with the "Windows enforcement of authenticode code signing and timestamping" documentation (please refer to the link in my first reply).

Regards

mihai · Postby **mihai** » Thu May 12, 2016 11:24 am

Hi Francesco,

Understood, thanks for clarifying. I was hoping it was possible, as someone has reported that osslsigncode can do it (I haven't tried it though): https://social.msdn.microsoft.com/Forum ... wssecurity

What about my 2nd issue from the previous message?

Thanks,
-Mihai

Postby **FrancescoT** » Thu May 12, 2016 1:57 pm

Dear Mihai,

unfortunately you cannot pass command line parameters from the Miabuild.

Let me check if it exists a possible alternative approach.

Regards

mihai · Postby **mihai** » Fri May 13, 2016 4:35 am

Hi Francesco,

Thanks, please let me know.

Another issue that I'm having is that I'm not getting a password prompt for the PFX when using miabuild.exe, and the build just fails. Thoughts? By the way, I have left the password box empty in the Authenticode Signature project page.

Thanks,
-Mihai

Postby **FrancescoT** » Fri May 13, 2016 11:02 am

Dear Mihai,

you must specify the password in the Authenticode Signature project page ... otherwise it fails.

//////////////////////

For what concerns your question at point #2.
You may use a similar approach as described here; http://www.installaware.com/blog/?p=416

This example was originally released to demonstrate how to you use Events in IA X3, so In your case you should not take the same identical approach. Instead you should use IA X4 Events to call pgplwiz.exe and then to sign (via signtool) the generated MSI file.

Of course once defined your project's events, you can even use Miabuild to automatize the Whole process.

Hope this helps you.

mihai · Postby **mihai** » Tue May 17, 2016 2:29 am

Thanks Francesco, that will work.

Best Regards,
-Mihai

Postby **FrancescoT** » Tue May 17, 2016 12:10 pm

RKossow · Postby **RKossow** » Fri Dec 20, 2019 4:00 am

Dear all, I also experienced problems when Authenticoding Single Exe Files. This must have something to do with spaces in paths or with long paths. When I create the project in c:\temp and also put the pfx file for signing to c:\temp and remove all spaces from all filenames used in the project which are signed, it is working flawlessly.