Hello. Recently, my builds have been generating a "Compiler Error GEN 1053: Codes signing process failed. Error Code: -1" message. Earlier this month, I had no issues and to my knowledge nothing has changed with the certificate or SB7 file. I went through the other threads to troubleshoot and one recommendation was to get rid of the Private Key password so that I could try and manually enter it in. Leaving the field blank did not cause the password screen to stop. I wanted to test and see what would happen if I turned off the Digital Signature so I set Add a Digital Signature = No. The PW screen still automatically appeared and disappeared and the same error shows up as if it were still trying to Add the Digital Signature.

I don't believe there are any issues with the certificate itself because it doesn't expire until 2014 and we have another program which uses the same credentials, private key, locations, URLs. and that program builds without any errors. I need to have the digital signature but am concerned there is another issue because turning it off gives me the same results.

Any thoughts on how to resolve this issues would be greatly appreciated! THANKS!!!!

Hello,

If you can correctly code-sign another file with this certificate and the very same configuration information then it is:

1. The timestamp server is not available from your Win7 machine for this file (your anti-spyware or anti-virus is buggy and does not let Authenticode access the Comodo or VeriSign timestamp server).

-or-

2. The PE header of the to be code-signed file is not valid. Try to code-sign that file manually with the ..\Bin\SignCode.exe tool to see if it reports a human readable error message.

BTW, your screenshots shows two completely different locations for code-signing. The "General Information" screen defines the certificate for your setup.exe. But you have an error in your pre-processor code-signing. So make sure that you have the information correct in the pre-processor (e.g. that you don't point to an expired certificate or use an incorrect password in the pre-processor!).

Hope this helps.

Friedrich

> BTW, your screenshots shows two completely different locations for code-signing. ... "General Information" ... pre-processor code-signing

That was my problem. Carl fixed bad settings in the #code-sign in my script. But then I still get an errors.


> 1. The timestamp server is not available from your Win7 machine for this file (your anti-spyware or anti-virus is buggy and does not let Authenticode access the Comodo or VeriSign timestamp server).

Now I seem to have this problem frequently. Carl wrote a BAT file to run SignCode and I see it returns the error:
"Error: TimeStamping Failed. Result = 80070020, (-2147024864)"

He tweaked his SignCode parms to have "/tr 3 /tw 3" so it does 3 tries with a 3 second pause. With the pause in that works everytime....in the BAT file. After that SB seems to work. But it has to do 3 signnings (APP EXE,Uninstaller,Setup.exe) and I see it fail a lot on the Uninstaller.

Googling the TimeStamping error I see some mention that its a timing issue under Win 7. That some process or thread has locked the EXE file, so the /t errors. It makes sense that retrying 3 seconds later would work.

Is there a place in SB to let me tweak the SignCode parms to add these "/tr 3 /tw 3" parameters?
Another fix I saw was to sign without timestamp, then run signcode again with the "/x" switch to timestamp only. I have not tried it.

I run SB on a network drive, maybe that is part of the timing issue. My AV is Symantec Endpoint Protection.

Do you have any suggestions for me and the 80070020 error?

John


PS: Carl suggests that SB have a "Test/Debug SignCode" feature that generates a BAT file containing the parms (but not password) and during the Compile process runs the BAT file and waits for it to finish.
Like this with a pause to see the results:


@echo SetupBuild SignCode Debug
@echo Signing Command: Signcode.exe /tr 3 /tw 3 /a sha1 /spc X:\dir\cert\MyCredentials.spc /v X:\dir\cert\MyPrivateKey.pvk /t http://timestamp.verisign.com/scripts/timstamp.dll X:\app\MyECFMail_setup.exe
@IF not exist X:\dir\cert\MyCredentials.spc ECHO Cannot find file: X:\dir\cert\MyCredentials.spc
@IF not exist X:\dir\cert\MyPrivateKey.pvk ECHO Cannot find file: X:\dir\cert\MyPrivateKey.pvk
@IF not exist X:\app\setup.exe ECHO Cannot find file: X:\app\setup.exe
@echo You will need to enter the signing certficate password in the popup window
Signcode.exe /tr 3 /tw 3 /a sha1 /spc X:\dir\cert\MyCredentials.spc /v X:\dir\cert\MyPrivateKey.pvk /t http://timestamp.verisign.com/scripts/timstamp.dll X:\app\setup.exe
@echo Please note the result of SignCode
pause

One tech support tip...
when the timestamping error occurs the EXE does have a new digital signature (file date-time updated), but the digi-sig doesn't have a timestamp.

I tried adding " /tr 3 /tw 3" under Tools,Options,File Locations to the SignCode line but it errors in compiling.

That page would be a good spot to add parm override.

John,

I think there is a problem with your protection software product (as I understand it, earlier this month you had no issues so it seems to me that one of the latest definition updates introduced it in your case). What you can try is to add the code-signing tool to the "exclusion" list. Perhaps this can help to let it go through to the timestamp server.

Or convert your .spc/.pvk to a .pfx and use signtool.exe to code sign.

Friedrich

Yes, this is correct and expected. That's how the MS Authenticode tool works.

Friedrich

You can't add parameters. "File Location" only points to the signtool.exe or signcode.exe files.

But we'll add a compiler #pragma to SetupBuilder 8 to specify the maximum number of timestamp trials until success and the delay (in number of seconds) between each timestamp trial.

Friedrich

Added and changed in SetupBuilder 8:

IMPROVEMENT: IDE: Add CODESIGN_DELAY #pragma to set the delay (in number of seconds) between each timestamp trial. Defaults to 3.

IMPROVEMENT: IDE: Add CODESIGN_TSTRIALS #pragma to set the maximum number of timestamp trials until success; defaults to 3.

CHANGE: IDE: The default delay between each code-signing timestamp trial increased from 0 to 3 seconds.

CHANGE: IDE: The default maximum number of timestamp trials until success increased from 1 to 3.

Friedrich

IMPROVEMENT: IDE: Add CODESIGN_DELAY #pragma to set the delay (in number of seconds) between each timestamp trial. Defaults to 3.
IMPROVEMENT: IDE: Add CODESIGN_TSTRIALS #pragma to set the maximum number of timestamp trials until success; defaults to 3.


Think that's a good idea you defaulted to multiple tries. I searched and see a bunch of people saying they needed to add timestamp retires to work consistently. I've seen no downside. You want a timestampm, you may need to wait.

BTW 3 and 3 were numbers I picked without any research that happended to work right away. I just went and tested a bunch of combos and 3 seconds seems to be the minimum wait that I needed. I'd suggest 4 or 5 retries as the default to try to get it done as often as possible.

SignCode is silent with doing the retries so its hard to know what is working.


Any reason I can't write my own Clarion based Signer EXE for you to call?
Basically: RUN('SignCode.exe '/tr 3 /tw 3 ' & clip(command(''),1)

Hmmmm I need the ExitCode from that which I can't think how to do without CreateProcess() or ShellExecuteEx).

I think 3 and 3 are already good values because they allow more retries and give the protection system more time to cool down. But we can increase it to 5 and 5, no problem. BTW, support requests for code-signing are not even on our list of Top 500 support requests. In other words, code-signing is not a general issue at all (it's machine specific). If a code-signing issue is reported then in most cases it is 1) caused by an expired code-signing certificate or 2) by a buggy or too protective anti-virus and/or anti-spyware system that blocks access to the timestamp server. I hope the new default values can help you.

Friedrich

In other words, code-signing is not a general issue at all (it's machine specific). If a code-signing issue is reported then in most cases it is 1) caused by an expired code-signing certificate or 2) by a buggy or too protective anti-virus and/or anti-spyware system that blocks access to the timestamp server. I hope the new default values can help you.
Friedrich

In this case it started as #1 expired, but then timing showed up.

Problem is when signing fails with the "Compiler Error GEN 1053" there's no way to tell the problem. I need to see the command line output of the SignCode.exe cmd line that shows the error. It would help if SB had a way.

I tried changing Tools, Options, File Locations the SignCode.exe to my own SignCarl.BAT. It does run, but because you hide the window I cannot add a PAUSE and see what's going wrong. So one tweak you could make is if the Sign Code program is a BAT or CMD that you do not hide the window. Or add a Pragma to not hide the window.

I changed my BAT to redirect to a file and do see some info. I need to put more time into it, but I'm not sure it's possible.

Here's my BAT file replacement for SignCode.exe


echo signing >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 1: %1 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 2: %2 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 3: %3 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 4: %4 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 5: %5 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 6: %6 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 7: %7 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 8: %8 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 9: %9 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 10: %10 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 11: %11 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 12: %12 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 13: %13 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 14: %14 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 15: %15 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 16: %16 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 17: %17 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 18: %18 >> V:\alpha\Emem\SignCarl\signlog.txt
@echo parm 19: %19 >> V:\alpha\Emem\SignCarl\signlog.txt

V:\alpha\Emem\SignCarl\signcode.exe /tr 3 /tw 4 %1 %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 >> V:\alpha\Emem\SignCarl\signlog.txt
rem pause



Here's the result (I do not get the output of signcode.exe):

signing
parm 1: -spc
parm 2: "V:\alpha\SignCodeBCS\xxxxxCredentials.spc"
parm 3: -v
parm 4: "V:\alpha\SignCodeBCS\xxxxPrivateKey.pvk"
parm 5: -i
parm 6: "http://www.xxxxx.com/"
parm 7: -n
parm 8: "xxxxxxx"
parm 9: -t
parm 10: -spc0
parm 11: -spc1
parm 12: -spc2
parm 13: -spc3
parm 14: -spc4
parm 15: -spc5
parm 16: -spc6
parm 17: -spc7
parm 18: -spc8
parm 19: -spc9

I don't see the EXE name in the command line.

Hello,

Why don't you use the "#run..." compiler directive to run your batch file (including your PAUSE command in it) instead of the "#code-sign application..." directive? Perhaps you can then find out why your machine has a problem with code-signing? And if it still fails (e.g. because your certificate is password protected and the password embedding process is blocked by your protection software), you can try the .PFX and use SignTool.exe (which can handle passwords via the command line).

BTW, it is impossible to use a batch file via "Tools | Options | File Locations" because the file name determines the code-signing method (SignTool.exe or SignCode.exe). The SignCode.exe Location specifies the pathname of the signcode.EXE that performs the signing tasks.

Hope this helps a bit.

Friedrich