InstallAware

Hi

Can anyone tell me how to use Authenticode? How to generate the needed certificates?

I tried by using .pfx certificate but it gives an error while building "code can not be signed"

it's urgent

You want to convert your PFX into an SPC and PVK file pair for them to work with InstallAware.

Hi

Please find the attachment.
Refering to the above post, when i mentioned PFX file, i refered to the location where it says "Private Key File". so i loaded a .pfx file.

If i'm wrong please let me know how to go about the certificates and the Authenticode cause i need to get this working.


Thanks

File Attached:

key.bmp

I believe some certificate vendors provide instructions on conversions. Just contact their technical support for help. They might even be able to mail you the files in the correct format.

Using Authenticode is pretty straight forward, but a .pfk file is not a "Private Key File". Private key files typically have the extension ".pvk". A .pfk file is usually the public key file. Did your certificate issuer supply you with a file with a ".pvk" extension?

You will also need a "Software Publishing Certificate" (*.spc or *.cer file) . It's been a while since I've had to work with Authenticode files, but I believe that you create the .pfk file from the .pvk and .spc files.

The following links have a lot of helpful information.
https://search.thawte.com/support/ssl-d ... &id=SO2706
http://msdn2.microsoft.com/en-us/library/aa906332.aspx
http://forums.microsoft.com/MSDN/ShowPo ... 9&SiteID=1
http://www.pantaray.com/signcode.html

Also make sure you request the cert from the provider using Windows XP, not Vista - if using Vista you wont be prompted to save the private key file, instead its stored somewhere in the registry and you cant export it.
If its too late then reissues are usually free.
Once you have the .pvk and .spc files sorted signing with IA is a piece of cake.
You can sign dll's etc with .PFX using other tools available from Microsoft - signcode.exe.
You can create a .pfx from a .pvk and .spc using pvkimprt.exe

Dave

Not sure if you ever figured this out or not, but since I searched, and had the same hassle of "how do I end up with those two required files when I only have a PFX"...here's some input from me.

Useful site - http://www.matthew-jones.com/articles/codesigning.html

First, I had to get the certificate out of Firefox and install onto my computer, so I could export it to a PFX file. Then, you have to use OpenSSL (only way it seems) to split a PFX files into the two pieces you need to start down the road. However, it takes about 5 steps to arrive at the end result of the two correct files...and dozens of times entering your private key password.

Anyways, it only took me a few minutes once I found the right resources (some listed in this thread + my link + a little bit of googling mostly to find link I posted) to implement and get my setup signed correctly...but it took me an hour or so to compile all the info and sift through it.

Hope this helps someone!

P.S. - If you have availability to use "SignTool" from Windows SDK, it will take a PFX and save you some hassle (however doesn't integrate into InstallAware itself); you need to manually run it, or automate it using FinalBuilder or something similar.

That's a great post! Promoting to a sticky

I'm told you can't use SPC/PFX files on Vista, you need to use the PFX file format. But the installer doesn't seem to have that facility (InstallAware 9). I have installed the verisign cross certificate in my machine that will build the installs and I'll have the PFX file.

I believe this was largely aimed at Kernel Mode Apps/Drivers. If this isn't kernel mode can I still use SPC/PFX Files on Vista x64/Windows 7 x64 or do I still need to use the PFX file via SignTool:

signtool sign /v /ac "fullpath\\MSCV-VSClass3.cer" /s my /n "Company Cert Name" fullpath\\myfile.exe

I haven't heard of any reason why you can not use the two seperate certificate files and the InstallAware Authenticode support version using a PFX. The only difference is that the PFX contains both certificates, as well as an additional level of security applied to control exporting.

And it is letting me sign the main .exe; my main issue now is still a UAC issue, even with the user being admin and 'request elevation' 'always admin' for maximum, we still see an error trying to click the install icon, but when the user runs it from an admin prompt it works. Some digging on the MS forums seem to indicate maybe something is trying to create a temp file in a directory somewhere and being denied permission but no simple resolution.

Have you seen this? Could this be related to the authenticode settings?

I'm using SPC/PVK just fine on Windows 7 x64 to create/sign installations...both manually through IA, and from our build automation program.

See here as well: http://www.installaware.com/forum/viewtopic.php?f=2&t=5910#p21439

I'm currently signing my compressed single-file installer externally with signcode because I only have a .pfx file. This works just fine. However I've noticed that after using the signed installer, the CACHED copy - used by the Start menu uninstall shortcut created by IA - is NOT SIGNED.

I imagine this is because I'm not signing from within IA, and therefore the uncompressed stub inside my installer isn't getting signed (the uninstall shortcut points to an uncompressed folder containing all the guts of the installer).

I haven't had a chance to jump through all the hoops to get to a .cer/.pvk solution to test this myself, and won't if that isn't the issue. Can someone confirm that this is my problem? Any suggested workarounds other than the 2-file solution?

Hello,
I have written some information on how to sign an application exe with InstallAware but also standalone signing with free standard tools. Also there is information of how to convert the certificates from pfx to the spc/pvk pairs which are necessary in InstallAware. Also you find information which certificate you need for signing applications and links to all needed sources.
The page is in written in German, but the scripts are with English names and all with screenshots are included so it is very easy to understand. So it is easy for everyone to understand how to do it with 7 simple steps.
I must say i have goggled a lot of hours and used much support calls until my first signing has functioned…
http://www.eulanda.de/inside/entwickler ... efault.htm
Best regards
Chris
www.eulanda.de
ERP international solutions