X17 code signing hooks, miabuild.exe and the compiler variable CODE-SIGN-HOOKS

[Wolfgang Guertl]

Hi to all!

Code signing hooks are configured via compiler variables. I do want to configure the code signing hook during the build script.

simple cmd without timestamping:
set CODE-SIGN-HOOKS=signtool.exe sign /n "NameOfCertInStore" /s My /td sha256 /fd sha256 "%1"
miabuild.exe "%1" /b=1 /sign /r CODE-SIGN-HOOKS="%CODE-SIGN-HOOKS%" ...

but this does not work

Any hint?

Wolfgang
BTW: the new environment variable CODE-SIGN-HOOKS has got the correct value and all the "

[JohnGaver]

Your post got cut in half, but there's still enough actionable information.

Several problems:

1) You'd need to escape double-quotes properly when specifying them on the command line. This could get tricky very quickly. Maybe try to use single quotes instead of double quotes, and see if that helps? You will need to use double quotes around your entire compiler variable override, basically.

2) miabuild.exe is not documented to use environment variables, and in fact, it does not use them. You just specify compiler variables on the command line as parameters to miabuild.exe while invoking it.

BTW what was the reason you wanted to do this sort of thing? I don't imagine your code signing vendor would change every other day to have this be a common scenario, but I'd love to hear more.

[Wolfgang Guertl]

Hi John,

The answer is quite simple. The build system and scripts should be able to configure the signing process with variables. Before X17 i did have to use special placeholders in the Installaware project files, the build scripts replaces them with the correct values (pfx file name and passwort from a secure store). After creating the setup-package the Installaware project files gets deleted asap. The second reason is to use an internal code-signing certificate for non release builds.
This is configured by the build System as well.

NO any git repository or source code files should contain any sensitive information such as a name of a code signing certificate, pfx filename Passwort, Cloud API key etc.

For me the code signing hook solution of X17 is only the first step. It must be possible to configure or modify such things easly and safely.
For the first time it is possible with X17 to adapt the signing procedure and use the windows buildin certifcate store for code signing.



@miabuild.exe compiler and environment variable(s): I am using this for years without any problems.

miabuild.exe COMPVAR1=%MYENVVAR%

The environment variable MYENVVAR holds the actual value which sould be passed to the compiler variable via miabuild. Any quotes might be a problem.


@playing with quoting (" ' %1, "" %%1 etc):

My partial solution is NOT working at the moment:
cmd file:
set CODE-SIGN-HOOKS="signtool.exe sign /n 'MyCodeSignCert' /s My /td sha256 /fd sha256 '%%1'"
rem Display Environment variable
set
miabuild.exe "%1" /b=1 /sign /r CODE-SIGN-HOOKS=%CODE-SIGN-HOOKS%

cmd Output:
.
.
.
12> CODE-SIGN-HOOKS="signtool.exe sign /n 'MyCodeSignCert' /s My /td sha256 /fd sha256 '%1'"
.
.
.
miabuild.exe ""D:\test\test.mpr"" /b=1 /sign /r CODE-SIGN-HOOKS="signtool.exe sign /n 'MyCodeSignCert' /s My /td sha256 /fd sha256 '%1'" LATOOL_VERSION=3.5.0.109
12>
12> M M SSSSSS IIIIII
12> MM MM SS II
12> M M M M SSSSSS II InstallAware MSIcode Compiler (Cemalnur Sargut)
12> M M M SS II
12> M M SSSSSS IIIIII
12>
12> Copyright(C) 1996-2025 InstallAware Software. All rights reserved.
12>
12> Building Project: LATool3
12> Output Folder: ...\Single12> Deployment Type: Compressed Single Self Installing EXE
12> Code Signing: Enabled
12> Compression: Default
12> Compiler Variables: "CODE-SIGN-HOOKS=signtool.exe sign /n 'MyCodeSignCert' /s My /td sha256 /fd sha256 '%1'",MIN_EXTRACT=AUTO,SIGN_ALL=DEFAULT,SHA256ONLY=TRUE,IGNOREMISSINGFILES=FALSE,LOADOLDDATA=FALSE,LOCMODE=NEWONLY,NOHARDLINKS=FALSE,SINGLEINSTANCE=FALSE,UAC=highestAvailable,PCH=FALSE,CODEPAGE=65001,LONGCOMPONENTS=FALSE,NO_MSI=FALSE,MSI_ALL=FALSE,CACHESOURCES=TRUE,DEBUG_MSGBOX=FALSE,"CODE-SIGN-HOOKS=signtool.exe sign /n ""MyCodeSignCert"" /s My /td sha256 /fd sha256 ""%1""",BUILDMODE=SFX,DATE=12/02/2025,TIME=14:58:05,LANGUAGE=English,TITLE=TEST,TARGETDIR=$TARGETDIR$,IADIR=C:\PROGRA~2\INAC1A~1,PROJDIR=...,IAVER=34.03
12> ###
12> Code signing with custom hook: C:\Users\xxxxx\AppData\Local\Temp\{66B7A2B9-7CCD-4C57-8D7A-C6A0E00C6B30}


Maybe your developers can implement special a escape sequence 0x22 -> " replacement function (generic 0xNN -> chr(NN)) which could solve such problems
with parsers character splitting etc. Do replace 0xNN -> chr(NN) as the last step when miabuild is creating the compiler variable set.
If it is done that way CODE-SIGN-HOOKS should contain the correct command for code signing


best regards

Wolfgang
PS: Is there a PowerShell Module available for doing miabuilds?

[JohnGaver]

Very interesting discussion, many thanks!

A quick question - is there a reason you don't parametrize (using compiler variables, of course) just the confidential segments of your code signing command line - while "hard-coding" the remainder?

I am not aware of us having any PS cmdlets, this sounds like the perfect thing to ask AI to write though?

[Wolfgang Guertl]

Its a good point. I will try this.

I was not aware that setting in a Installaware project like

CODE-SIGN-HOOKS=signtool.exe sign /n "#MYCODESIGNCERT#" /s My /td sha256 /fd sha256 "%1"

is working.

The cmd/environment sample was just a POC that the code signing hooks could work as expected.

@Powershell Module: Some Powershell Modules loads an .net Assembly (DLL) and bridges Methods and structures to powershell. Bridging exe-tools is possible as well, but for instance an

$proj=Open-IAProject -Filename "D:\Project\IA\sample.mpr" could deliver the project properties. It would be possible that changes could be done in a different way.

$proj.Version = "1.0.0 ($CommitID)"
$proj.Save
$proj.Build -Build SingleExe -Sign ....

Wolfgang