InstallAware

Home of The Next Generation MSI Installer
https://www.installaware.com/forums/

Authenticode Signing not properly implemented

https://www.installaware.com/forums/viewtopic.php?f=2&t=2095

Page 1 of 1

Authenticode Signing not properly implemented

Posted: Tue Mar 20, 2007 6:35 pm
by RobertKozak
Are there plans to properly implement Authenticode Signing? Right now I cannot do a build of my install from our build machine because it prompts for the password. There is no place within the script I can place a password nor can I pass it in on the commandline.

I also thought about dividing the install into 2 parts. The main install as an MSI and the second one as a wrapper to call the first so I can sign them separately but that doesn't seem to work either because InstallAware will automatically wrap it up into an exe.

1. It is not pratical for me to babysit our automated build process just to type in a password twice for each build. I have more imprtant things to do.

2. I can't just give out the password to our QA dept because it is *supposed* to be secure. How secure is our private key if a low level empoyee that is managing the build has access to the password?

Is there a very good reason for the way this is implemented and can you give me a timeframe when this will be fixed?

So far I am impressed by most of InstallAware but there are times it can be so frustrating because something just doesn't seem well thought out.

Robert Kozak

Posted: Thu Mar 22, 2007 4:58 am
by neillans
I'm afraid this is a MS issue; we are simply calling the SignCode application as provided by Microsoft and it displays the prompt. There is no provision to provide the password via the command line, however, you can simply not password protect your certificate (however, I acknowledge this is far from a suitable solution!). It seems Microsoft expect the people that are doing the signing to be in a privileged position.

We are currently investigating ways round this, but so far have not been able to turn up anything promising.

Posted: Thu Mar 22, 2007 2:04 pm
by RobertKozak
Thanks for your candor. But why not use Signtool from Microsoft which allows you to pass a password via the command line.

You could ask for the password once and then store it encrypted in the registry to use when you call SignTool.

-- Robert Kozak

Posted: Thu Mar 22, 2007 2:18 pm
by neillans
As I say, we are investigating potential solutions.

SignTool has its own disadvantages; such as the certificate needs to be converted into a PFX.

We would never to store the password in the Registry; it would be stored in the IA script file.

Posted: Thu Mar 22, 2007 2:30 pm
by RobertKozak
That would work for me as I already have a .pfx :D

-- Robert

Posted: Thu Mar 29, 2007 4:56 am
by Anthony Wieser
Perhaps, allow the user to specify a -cn argument to signcode. That would allow you to use an installed certificate, which doesn't require a password.

All you need to do is add the certificate to your store on the build machine with a friendly name that you use as the -cn argument.

Anthony Wieser
Wieser Software Ltd
All times are UTC-05:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/