Page 1 of 1
Double code signing => Code signing failed
Posted: Tue May 10, 2016 8:10 am
by mihai
Hello,
I am trying to code sign the setup files and the resulting MSI using a certificate I have generated myself for testing purposes. However, the building fails with the following, on the very first file it tries to sign:
[...]
Built plug-in action Call DLL Function
Code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Double code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Double code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Double code signing: C:\Users\<username>\AppData\Local\Temp\f___long_name.Installer_setup files_Folder\SomeAssemblyName.dll
Error during build: Code signing failed!
That file - a .NET assembly I am compiling myself - is not signed in the source directory, and if I am fast enough to backup the temporary folder above I can see that it gets signed properly ("Digital Signatures" tab in the file properties), using sha1.
Why is it trying to double sign it? Also, why three attempts?
Note: I am using X4.
Thanks,
-Mihai
Re: Double code signing => Code signing failed
Posted: Tue May 10, 2016 1:37 pm
by FrancescoT
Dear Mihai,
InstallAware full complies with the "new Microsoft Windows enforcement of authenticode code signing and timestamping". Due of this you must use a SHA-2 code signing certificate.
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspxWhy is it trying to double sign it? Also, why three attempts?
I suggest you to have a look at the above link which describes the details of the new code signing enforcement. Anyway what you are reporting happens because IA tries to double sign your file (SHA-1 + SHA-2 signatures - as required by the new signing policy) but it fails due the code signing certificate used.
Hope this helps you.
Regards
Re: Double code signing => Code signing failed
Posted: Tue May 10, 2016 2:54 pm
by mihai
Thanks Francesco, I'll give it a try and report back.
-Mihai
Re: Double code signing => Code signing failed
Posted: Wed May 11, 2016 4:26 am
by mihai
Hi Francesco,
Anyway what you are reporting happens because IA tries to double sign your file (SHA-1 + SHA-2 signatures - as required by the new signing policy) but it fails due the code signing certificate used.
Actually my certificate is already SHA-2:
- Signature algorithm: sha256RSA
- Signature hash algorithm: sha256
- Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3)
- Thumbprint algorithm: sha1
And I can manually dual-sign the assembly just fine with:
Code: Select all
signtool.exe sign /f certificate.pfx /p password /t http://timestamp.comodoca.com/authenticode /v SomeAssemblyName.dll
signtool.exe sign /fd SHA256 /as /f certificate.pfx /p password /tr http://timestamp.comodoca.com/authenticode /v /td SHA256 SomeAssemblyName.dlland then the "Digital Signatures" tab in the file properties shows both sha1 & sha256.
What is different when IA tries to sign it?
Thanks,
-Mihai
Re: Double code signing => Code signing failed
Posted: Wed May 11, 2016 12:15 pm
by FrancescoT
Dear Mihai,
maybe it's just due the Timestamp URL.
I Always use "http://timestamp.comodoca.com/rfc3161" when signing manually (SHA-1 + SHA-2);
> signtool.exe" sign /f "certificate.pfx" /t
http://timestamp.comodoca.com/rfc316 /p xxx "SomeAssemblyName.dll"
then;
> signtool.exe sign /f "certificate.pfx" /as /fd sha256 /tr
http://timestamp.comodoca.com/rfc3161 /td sha256 /p xxx "SomeAssemblyName.dll"
The same Timestamp URL ("http://timestamp.comodoca.com/rfc3161") is automatically filled in the Authenticode settings in IA (you may change it anyway).
It's looks strange to me that worked using "http://timestamp.comodoca.com/authenticode" when applying the SHA-2 hash. According to Comodo Knowledgebase, "Authenticode" timestamping is used by older versions of SignTool (using the "/t" parameter).
https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-serverWhich is the OS you used to install IA?
Regards
Re: Double code signing => Code signing failed
Posted: Thu May 12, 2016 7:34 am
by mihai
Hi Francesco,
maybe it's just due the Timestamp URL
That was it, thanks! It was "http://timestamp.verisign.com/scripts/timstamp.dll" in my case (propagated from IA7?), and modifying it to "http://timestamp.comodoca.com/rfc3161" did the trick.
However, I now have two problems left:
- The MSI is only sha1 signed, while the EXE is fine:
Code: Select all
Prepared SFX data
Created SFX file
Cleaned up
Code signing: SetupFileName.exe
Double code signing: SetupFileName.exe
Producing MSI output...
Code signing: SetupFileName.msi - I used to produce the MSI in two steps, creating an EXE with miabuild.exe and then the MSI with pgplwiz.exe. But that way the MSI does not get signed (unless maybe I sign it myself manually), so I have modified the MPR project file to produce the MSI directly. However, where in miabuild.exe do I put the command line parameters to be passed to the MSI install (i.e. similar to the second parameter for pgplwiz.exe)? I have some custom ones that I must set in
Thanks,
-Mihai
Re: Double code signing => Code signing failed
Posted: Thu May 12, 2016 10:29 am
by FrancescoT
Dear Mihai,
the MSI file cannot be double signed and unfortunately this is a limitation of the MSI format itself.
This is also reported with the "Windows enforcement of authenticode code signing and timestamping" documentation (please refer to the link in my first reply).
Regards
Re: Double code signing => Code signing failed
Posted: Thu May 12, 2016 11:24 am
by mihai
Hi Francesco,
Understood, thanks for clarifying. I was hoping it was possible, as someone has reported that osslsigncode can do it (I haven't tried it though):
https://social.msdn.microsoft.com/Forum ... wssecurityWhat about my 2nd issue from the previous message?
Thanks,
-Mihai
Re: Double code signing => Code signing failed
Posted: Thu May 12, 2016 1:57 pm
by FrancescoT
Dear Mihai,
unfortunately you cannot pass command line parameters from the Miabuild.
Let me check if it exists a possible alternative approach.
Regards
Re: Double code signing => Code signing failed
Posted: Fri May 13, 2016 4:35 am
by mihai
Hi Francesco,
Thanks, please let me know.
Another issue that I'm having is that I'm not getting a password prompt for the PFX when using miabuild.exe, and the build just fails. Thoughts? By the way, I have left the password box empty in the Authenticode Signature project page.
Thanks,
-Mihai
Re: Double code signing => Code signing failed
Posted: Fri May 13, 2016 11:02 am
by FrancescoT
Dear Mihai,
you must specify the password in the Authenticode Signature project page ... otherwise it fails.
//////////////////////
For what concerns your question at point #2.
You may use a similar approach as described here;
http://www.installaware.com/blog/?p=416This example was originally released to demonstrate how to you use Events in IA X3, so In your case you should not take the same identical approach. Instead you should use IA X4 Events to call pgplwiz.exe and then to sign (via signtool) the generated MSI file.
Of course once defined your project's events, you can even use Miabuild to automatize the Whole process.
Hope this helps you.
Re: Double code signing => Code signing failed
Posted: Tue May 17, 2016 2:29 am
by mihai
Thanks Francesco, that will work.
Best Regards,
-Mihai
Re: Double code signing => Code signing failed
Posted: Tue May 17, 2016 12:10 pm
by FrancescoT
Re: Double code signing => Code signing failed
Posted: Fri Dec 20, 2019 4:00 am
by RKossow
Dear all, I also experienced problems when Authenticoding Single Exe Files. This must have something to do with spaces in paths or with long paths. When I create the project in c:\temp and also put the pfx file for signing to c:\temp and remove all spaces from all filenames used in the project which are signed, it is working flawlessly.
