PDA

View Full Version : SetupBuilder and Code-Signing



linder
03-02-2010, 08:38 AM
Please read the following SetupBuilder Code-Signing Guide:

http://www.lindersoft.com/CodeSign.pdf

Table of Contents
Part I Introduction
Part II FAQ
Part III Buying A Certificate - The Lindersoft "Deal"
Part IV Getting the Tools
Part V Setting Up SetupBuilder
Part VI Code-Signing Your Installer
Part VII Code-Signing Your Application Files

Note: CAPICOM.dll has been removed from the Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1.


Q3 2014 Updates:

http://www.lindersoft.com/Comodo2014.pdf

As of late August 2013, all valid (not expired, not revoked) Comodo Code Signing Certificates can be used for Kernel-Mode Code Signing (Windows Vista and greater).

Microsoft has published a security advisory on "Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program". The new policy takes effect after January 1, 2016 and requires CAs to migrate to the stronger SHA-2 hashing algorithm.

In summary, Windows will cease accepting SHA-1 certificates on January 1, 2017. To continue to work with Microsoft platforms, all SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-256 (SHA-2) equivalent by January 1, 2017. Organizations need to develop a migration plan for any SHA-1 end-entity SSL certificates that expire after January 1, 2017 and SHA-1 code signing certificates that expire after January 1, 2016. SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack. Microsoft will give new consideration to the SHA deprecation deadlines in July 2015.

1. Customers should "renew" with SHA-2 end-entity and intermediate certificates.

2. Microsoft will cease trusting Code Signing Certificates using SHA-1 on January 1, 2016.

Most applications, servers and browsers now support SHA-2, however some older operating systems such as Windows XP prior to Service Pack 3, and some mobile devices do not.

For example: http://support.microsoft.com/kb/2763674

Before the SHA-1 algorithm is formally deprecated by Microsoft, it is important to ensure your organization and those relying on your infrastructure are benefiting from SHA-2 support by installing the latest version of the application or browser and applying all known security updates to your operating system.

Comodo will support only SHA-2 on all 3 year code signing certificates. They will also confirm policies at this time regarding 2 year SHA-1 code signing certificates.

http://www.comodo.com/e-commerce/SHA-2-transition.php

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

MauryL
05-05-2010, 06:23 AM
I've just gotten my pfx file built, using Jane's "SetupBuilder Code-Signing". It was invaluable! I explored the latest Windows SDK (Windows 7 and .NET 3.5 SP1) and found pvk2pfx.exe and signtool.exe in \Setup\WinSDKTools\cab2.cab. Did not find capicomm.dll anywhere so I hope I don't need it.

By the way, all I had to do for the new code signing certificate was to supply the DUNS number and put my domain registration in my company's name instead of mine.

CMS Software
06-30-2010, 06:17 PM
[QUOTE=linder;43635]Please read the following excellent SetupBuilder Code-Signing Guide:

Is the procedure for renewing a Lindersoft/Comodo certificate different? Is there a discount for renewals? Hopefully I do not have to start the entire procedure over with documentation, etc.

-O. D.-

linder
07-01-2010, 12:11 AM
Hello,

There is no special Comodo "renewal" process if you have purchased a certificate in the past. You always have to request a new certificate, it can't be "renewed". Login to the Comodo ordering system and place a new order using the same company information and Comodo should speed up the validation process. Be sure to quote your previous order number in any correspondence with them.

The discount for Lindersoft customers with a current SetupBuilder subscription is 60% when you buy a 3-year code-sign certificate ($200 instead of $500).

Hope this helps.

Friedrich

CMS Software
07-12-2010, 11:45 AM
Got the new certificate and it works great. However, I was baffeld that the install was signed with the new certificate (as entered in the "General Information" tab) but our program EXE was signed with the old certificate.

Some detective work revealed that if there is a line in the script to code sign a file (#code-sign application "C:\VDBPlProj\RMI\Reindex.exe" (RMI Update) [Permanent] [Skip]) then the new certificate needs to be entered into the wizard for that line also.

Now all works as expected. Hope this helps someone else save time when they upgrade their certificates.

-O. D. Williams-

Jane
07-16-2010, 07:48 AM
O.D.,

There's also a new SB tool to ease some of the pain of code-signing items you're installing - the Certificate Profiles tab on the Tools | Options window.

It's not a "live" update. If you change your certificate password, for example, it will not automatically update every item you've configured using that profile.

But it does make it easy to double-click any #code-sign compiler directive, then click the blue folder icon and choose the profile to update anything to the new code-sign settings.

And, of course, it takes out a lot of the hassle of configuring code-signing for items in the first place.

Jane

Tom H.
05-04-2011, 07:53 PM
Just a heads up...

If you use Windows 7, be aware that the CAPICOM.DLL referred to elsewhere here is no longer needed in order to user SIGNTOOL.EXE for code signing. CAPICOM has been deprecated by MS for Win 7.

All you need is a Windows 7 version SIGNTOOL.EXE now, and the simplest way to get it is to download the Windows SDK for .NET 3.5SP1 or .NET 4.

http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx

This link leads you to a small stub for the latest SDK version, so you don't need to download the entire SDK. In the installer, just uncheck everything except the 'Tools' option, and then you'll only get a small subset of the SDK that includes the Win 7 version of SIGNTOOL.EXE.

Point SetupBuilder at SIGNTOOL.EXE, which you'll find under Program File\Microsoft SDK a few levels down in the \BIN folder.

Tom

Tom H.
01-27-2012, 05:56 PM
I was getting what appeared to be random failures during the code signing process with SB 7.5 under Window 7, 32-bit. At times, it would even cause SB to fail/terminate.

After some research, I have found that if I have Windows Explorer open on the default \Installs folder where my installs are built, it will fail every time. Select any other folder, and the signing step works every time.

It seems Windows 7 puts some kind of hold or watch on the folder it is displaying, and SignTool does not like that at all. I've also run into similar issues with folders being viewed simultaneously between XP, Vista and Win 7 where you can't rename/move/delete files due to these invisible locks.

Hope this helps someone,
Tom H.

Maarten
05-23-2014, 11:09 AM
This document is 5 years old. Did nothing change here. Why is it that SetupBuilder does not ship with the latest signtool.exe ??

Regards,

Maarten,

linder
05-24-2014, 03:47 AM
Maarten,

Well, perhaps you are not aware that it is NOT allowed to redistribute signtool.exe? It's only available in the SDK. Microsoft has a very good law firm if you do the wrong thing ;) Never ever make signtool.exe available as a download. If you do, you'll hear from their lawyers.

BTW, the documentation is up-to-date! There is a new SHA1 or SHA2 order option for certificates now. The SB compiler will support it in a later build.

Friedrich

Maarten
05-24-2014, 12:45 PM
Thank you Friedrich !
I found more information when reading on and notably the update download link for the sign tool, but nothing about the legal stuff.

Regards,

Maarten,

DDreslough
04-01-2015, 08:24 PM
Hi Everybody!

Well, I just got through the process of getting my certificate reissued with SHA2 encryption. My cert was 2 years old, and I had an interesting problem that I'd lost my original private key text file (pvk). I still had my .pfx file, which has the private key info rolled into it...so here's what I did:

Comodo only gives you the cert part. And OpenSSL on the PC was too hard for me to figure out.

So...
I used a tool from DigiCert ( https://www.digicert.com/util/ ) to import my old .pfx file on my new computer.

Then I imported the new certificate from Comodo, and the DigiCert utility said "Missing PVK information". It then offered ot search this computer to repair/complete. It found the key file information in my original .pfx file from two years ago, and Wah-Lah! I could export the new certificate as a working complete PFX. I also was able to use the tool to export a split PVK and Cert file from my original .pfx. Very handy! all I needed to remember was my password, which I'd spraypainted on the side of my house so I wouldn't lose it. (Just kidding. I spraypainted it on an interior wall, like all my passwords. I'm very security minded! ;) )

To give credit where credit is due, and also if people need to go ask about making a new pfx...I saw mention of that DigiCert tool on stack overflow: http://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-cer-certificate-and-private-key

Our setup is all compiled and I'm testing it now. DAYS before the due date! It's a Christmas miracle!! (We really get behind in this place. ;) )
- Dee Dreslough, Sports Mogul Inc. Long time SetupBuilder user. :)

linder
04-02-2015, 03:03 AM
Hi Dee,

WOW! Very interesting. Thanks so much for sharing !!! :)

Friedrich

torrid
04-27-2015, 02:52 PM
Hi
My certificated does not expire until June. If I renew early to make sure I get through the process, do I lose time on my cert or do they add 3 years from the current certificate's expire date?

Is there any problem with waiting until the cert expires or will that create more work in verification?

-Tim

linder
04-28-2015, 04:22 AM
Tim,

If you request a code-signing certificate then you'll always get a new one. There is no "renew" for certificates. Request a new certificate 10-14 days before your "old" certificate is due to expire and you "should" be on the safe side (but no guarantee).

Friedrich