Please read the following excellent SetupBuilder Code-Signing Guide:

http://www.beachbunnysoftware.com/webinar/CodeSign.pdf

Table of Contents
Part I Introduction
Part II FAQ
Part III Buying A Certificate - The Lindersoft "Deal"
Part IV Getting the Tools
Part V Setting Up SetupBuilder
Part VI Code-Signing Your Installer
Part VII Code-Signing Your Application Files

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

I've just gotten my pfx file built, using Jane's "SetupBuilder Code-Signing". It was invaluable! I explored the latest Windows SDK (Windows 7 and .NET 3.5 SP1) and found pvk2pfx.exe and signtool.exe in \Setup\WinSDKTools\cab2.cab. Did not find capicomm.dll anywhere so I hope I don't need it.

By the way, all I had to do for the new code signing certificate was to supply the DUNS number and put my domain registration in my company's name instead of mine.

[QUOTE=linder;43635]Please read the following excellent SetupBuilder Code-Signing Guide:

Is the procedure for renewing a Lindersoft/Comodo certificate different? Is there a discount for renewals? Hopefully I do not have to start the entire procedure over with documentation, etc.

-O. D.-

Hello,

There is no special Comodo "renewal" process if you have purchased a certificate in the past. You always have to request a new certificate, it can't be "renewed". Login to the Comodo ordering system and place a new order using the same company information and Comodo should speed up the validation process. Be sure to quote your previous order number in any correspondence with them.

The discount for Lindersoft customers with a current SetupBuilder subscription is 60% when you buy a 3-year code-sign certificate ($200 instead of $500).

Hope this helps.

Friedrich

Got the new certificate and it works great. However, I was baffeld that the install was signed with the new certificate (as entered in the "General Information" tab) but our program EXE was signed with the old certificate.

Some detective work revealed that if there is a line in the script to code sign a file (#code-sign application "C:\VDBPlProj\RMI\Reindex.exe" (RMI Update) [Permanent] [Skip]) then the new certificate needs to be entered into the wizard for that line also.

Now all works as expected. Hope this helps someone else save time when they upgrade their certificates.

-O. D. Williams-

O.D.,

There's also a new SB tool to ease some of the pain of code-signing items you're installing - the Certificate Profiles tab on the Tools | Options window.

It's not a "live" update. If you change your certificate password, for example, it will not automatically update every item you've configured using that profile.

But it does make it easy to double-click any #code-sign compiler directive, then click the blue folder icon and choose the profile to update anything to the new code-sign settings.

And, of course, it takes out a lot of the hassle of configuring code-signing for items in the first place.

Jane

Just a heads up...

If you use Windows 7, be aware that the CAPICOM.DLL referred to elsewhere here is no longer needed in order to user SIGNTOOL.EXE for code signing. CAPICOM has been deprecated by MS for Win 7.

All you need is a Windows 7 version SIGNTOOL.EXE now, and the simplest way to get it is to download the Windows SDK for .NET 3.5SP1 or .NET 4.

http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx

This link leads you to a small stub for the latest SDK version, so you don't need to download the entire SDK. In the installer, just uncheck everything except the 'Tools' option, and then you'll only get a small subset of the SDK that includes the Win 7 version of SIGNTOOL.EXE.

Point SetupBuilder at SIGNTOOL.EXE, which you'll find under Program File\Microsoft SDK a few levels down in the \BIN folder.

Tom

I was getting what appeared to be random failures during the code signing process with SB 7.5 under Window 7, 32-bit. At times, it would even cause SB to fail/terminate.

After some research, I have found that if I have Windows Explorer open on the default \Installs folder where my installs are built, it will fail every time. Select any other folder, and the signing step works every time.

It seems Windows 7 puts some kind of hold or watch on the folder it is displaying, and SignTool does not like that at all. I've also run into similar issues with folders being viewed simultaneously between XP, Vista and Win 7 where you can't rename/move/delete files due to these invisible locks.

Hope this helps someone,
Tom H.