Where can I find a readable set of instructions to convert my pfx?

Comodo's instructions are gibberish. <G>
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1089#

I have the pvk in hand.

Lynn Howard
Linked Software
www.linkedsoftware.com

> Where can I find a readable set of instructions to convert my pfx?
>
> Comodo's instructions are gibberish. <G>
> https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1089#
>
> I have the pvk in hand.

Hi Lynn,

Jane included excellent instructions in the manual she created for
Lindersoft -

When you fire up the SetupBuilder IDE - Help Topics - Learning SetupBuilder

Important Windows Stuff - Code Signing - Preparing SetupBuilder - Optional
- Create a PFX file

You'll need pvk2pfx.exe

If you chose defaults for installing the Windows SDK, you should find it in
one of these folder locations -

C:\Program Files\Microsoft SDKs\Windows\v7.0\bin

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\

* * * * *

Learning SetupBuilder Part I.chm also available at -

http://www.lindersoft.com/downloads_evaluation.htm

* * * * *

Also, similar information is available in:

Encourager Software Developer Tips
http://www.encouragersoftware.com/software-developers.html

Just download and install - Start menu or desktop choices to display tips.

signtool.exe help topic

David

--
From David Troxell - Product Scope 8.1! - Encourager Software
Email - mailto:pe_Remove_@_Me_encouragersoftware.com
http://www.encouragersoftware.com/product-scope-major-features.html

>> Where can I find a readable set of instructions to convert my pfx?
>>
>> Comodo's instructions are gibberish. <G>
>> https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1089#
>>
>> I have the pvk in hand.

Lynn,

Didn't look at Comodo page, and I think this threw me off for answer - "I
have the pvk in hand"

Do you want the REVERSE - as suggested by the subject! :-)

Mind me asking why - as in, why you want to work with the older
signcode.exe tool?

If you need an older signtool.exe - one that works with Vista (not sure
about XP - since I was using at least Vista when I first code signed) - in
the Developer Tips - signtool.exe help topic - there is a download link for
older signtool.exe

http://www.microsoft.com/en-us/download/details.aspx?id=3138

it depends on - capicom.dll - download here

http://www.microsoft.com/en-us/download/details.aspx?id=25281

install (choose default) and it should register itself - no special folder
is needed.

When I researched PFX to spc and pvk years ago, basically articles said
AVOID it! :-)

David

--
From David Troxell - Product Scope 8.1! - Encourager Software
Email - mailto:pe_Remove_@_Me_encouragersoftware.com
http://www.encouragersoftware.com/product-scope-major-features.html

Thanks David,

I am using the old stuff because that has worked nicely for years. Path of
least resistance. It's a tri-annual PITA and is stupidly convoluted.

By now I was hoping to see a 1,2,3 type of list.

Lynn

> Thanks David,
>
> I am using the old stuff because that has worked nicely for years. Path of
> least resistance. It's a tri-annual PITA and is stupidly convoluted.
>
> By now I was hoping to see a 1,2,3 type of list.

Lynn,

I don't have the reference now, but keep looking - there is a way to do it,
but it's painful! And it's definitely NOT 1,2,3

OTOH, why not accept that for each SetupBuilder project, it's just a few
steps to correct each script,

The latest Windows 7 version of signtool.exe is much better to use - no
more capicom.dll to worry about - easier to copy to new VMs, etc

Part of the reason Encourager Software Developer Tips was started was a
quick reference for me to keep track of easier ways to do things, so I
stored them in a CHM file for my use -

Then, I thought it would be helpful for developers in general, but I still
use it often to quickly drill down to a tip, an URL, etc

David

--
From David Troxell - Product Scope 8.1! - Encourager Software
Email - mailto:pe_Remove_@_Me_encouragersoftware.com
http://www.encouragersoftware.com/product-scope-major-features.html

Lynn,

This is an interesting reading:

http://www.lindersoft.com/forums/showthread.php?p=21430#post21430

Friedrich

>
> I have the pvk in hand.
>

BTW, you have the .PVK in hand? Are you sure? If you have received the
certificate in form of a .PFX then you should not have a .PVK.

Friedrich

> Lynn,
>
> This is an interesting reading:
>
> http://www.lindersoft.com/forums/showthread.php?p=21430#post21430

Hi Friedrich,

Thanks for this reference - I started with Signcode.exe and spc and pvk
file formats, then used pvk2pfx.exe to convert to PFX and using
signtool.exe, and haven't looked back since!

I don't remember reading this reference, but researched it briefly, and
found the PFX to spc and pvk references as a long and involved process -
and remembered advising - IF you need both PFX and spc and pvk - use XP and
IE to obtain spc and pvk - VERY simple then (to convert to PFX) if you can
preplan it that way.

Although I will say this - with SetupBuilder and Certificate Profiles, to
update scripts and use the newer signtool.exe - well worth the effort and
not much time involved, even if many SB projects are involved.

David

--
From David Troxell - Product Scope 8.1! - Encourager Software
Email - mailto:pe_Remove_@_Me_encouragersoftware.com
http://www.encouragersoftware.com/product-scope-major-features.html

Interesting! Think I can use that.

Here's a wrinkle I reported during your vacation and was told don't do it.

In "playing" with this stuff I stumbled on a dirty way to use the pfx file.
I say dirty way because at each code signing instance it throws an error
message but then apparently signs the file and continues.

I mention this out of curiosity because it seems to work but perhaps there
are bad things to happen later. Perhaps a security issue of some sort?

Lynn

Lynn,

> In "playing" with this stuff I stumbled on a dirty way to use the pfx
> file.
> I say dirty way because at each code signing instance it throws an error
> message but then apparently signs the file and continues.
>
> I mention this out of curiosity because it seems to work but perhaps there
> are bad things to happen later. Perhaps a security issue of some sort?

No. If you are using SignCode.exe in combination with a .PFX then the
Microsoft Authenticode tool will fail and not code sign your file(s). The
tool can't use a .PFX to code-sign, only .PVK/.SPC is accepted. It will
definitely not work with a .PFX.

You need SignTool.exe to let your .PFX code sign files :)

Friedrich

I understand but SB says the file was signed successfully.

Lynn

>
>I understand but SB says the file was signed successfully.
>

Can you post a compiler report screenshot? Similar to the attached one?

Friedrich

BTW, I see this (see attached screenshot) when I try to use a .PFX with
SignCode.exe to code-sign the installer.

Friedrich

Here it is.

Lynn

>
> Here it is.
>

Hmmm, strange. It does not mention the Authenticode tool used.

What do you have in "Tools" | "Options..." | "File Locations" tab ->
SignCode.exe or SignTool.exe Location? Does it point to a valid
Authenticode tool?

And can you confirm that the setup.exe is code-signed? IMO, it is not.

Could you please send your .sb8 project file to support [at] lindersoft
[dot] com? Perhaps I can find something in your project that causes this.

Friedrich

Hi Friedrich.

See attachment for File location.

When I Test the project I get no unknown publisher message.

I'll send the project file to support.

Maybe we've found a way to simplify all this Comodo stuff. <G>

Lynn

Hi Lynn,

> See attachment for File location.
>
> When I Test the project I get no unknown publisher message.
>
> I'll send the project file to support.
>
> Maybe we've found a way to simplify all this Comodo stuff. <G>

Unfortunately, I am afraid this is not the case <g>. There must be another
reason for it.

Friedrich

Lynn,

As Friedrich said, see whether the item is really code-signed. I highly
doubt it.
The tool you show in your screen shot is not one of the Authenticode signing
tools. It's "pvkimprt.exe".
Google has a number of hits for that. It's related to certificates, but it
DOES NOT sign stuff:
http://www.wiscocomputing.com/articles/code-signing.htm
http://www.microsoft.com/en-us/download/details.aspx?id=6563

I'm guessing that SB runs that tool, doesn't get an error flag back, and
"thinks" that that executable succeeded in signing your file.

Right-click your executable, click Properties, and look for the Digital
Signatures tab.
That will tell you whether it's signed or not.

Jane

Hi Jane,

You are absolutely right. Friedrich is looking into the false positive.

Thanks for the research.

Lynn

Hi Lynn,

>
> See attachment for File location.
>

Okay, and the use of "pvkimprt.exe" as code-signing tool is your problem
<g>. This Microsoft tool can be used to combine your .SPC and .PVK
certificate/key files into a .PFX file. It is *not* an Authenticode
code-signing utility ;-)

You have to specify the fully qualified path to "SignCode.exe" if you
code-sign with a .PVK/.SPC -or- the fully qualified path to "SignTool.exe"
if you code-sign with a .PFX.

Friedrich

Oops. Just noticed that Jane already provided the answer and solution <g>.
Our ISP switched the Backbone and this caused newsgroup access problems for
some hours here.

Just specify the correct Authenticode tool and you are back in the game :)

Friedrich

Hi Lynn,

>
> You are absolutely right. Friedrich is looking into the false positive.
>

I have improved the compilation process. The compiler will throw an error
in this scenario now.

Friedrich

BTW, this will be available in the upcoming SetupBuilder 8.1.

Friedrich

Hi Lynn,

>
> I'll send the project file to support.
>

A quick note to your .sb8 project: 'MMS6_L_5' is an invalid Windows file
resource version (General Information -> Version Resource tab -> File
Version) and '6L_5' is an invalid Product Version number (General
Information -> Product tab -> [PRODUCTVER]).

In Windows, the Product Version should be in the format AA.BB.CCCC.DDDD,
where AA is the major version, BB is the minor version, CCCC is the build
version, and DDDD is optional and ignored. For example: 5.1.1266.

Friedrich

That's all right, Friedrich.

I'm used to being ignored.....

Sigh..... <g>

Jane Fleming

Hi Friedrich,

Thanks for the tip and all your other help! Couldn't get along without you!

So much to know and so little time. <Sigh>

Last night as I was dozing off an idea about a real Wizard for all this
Comodo stuff came to me. Currently most info is in narrative form. Seems
it would be fairly easy to have a window with links to openssl.exe and
pvk.exe and fields for the various locations and file names on your
computer. Then Run buttons for each. Just thinking out loud.

Lynn

I appreciate you Jane.

If that's any consolation. <G>

Lynn

Totally! <g>

Jane Fleming

> That's all right, Friedrich.
>
> I'm used to being ignored.....

Hahahahaha! ;-) I DON'T think so <g>

Friedrich