Firstly I must point out that this isn't a SetupBuilder Issue, but as it
involves Comodo certificates, I thought this might be the best place to
ask for some advice.

I'm actually using Capesoft's Safeupdate to send out an installer that
has been created using my trusty setupbuilder5. I manually code sign the
installer using signtool.

I've found some machines recently that are giving me an error saying
that my certificate is invalid.

I've done a bit of digging, and looked at the certificates that were
installed on those machines, and I expected to find a trusted root
certificate from comodo, and there weren't any. As an experiment I
exported the comodo root certificate from my own PC, and sent that down
to the customer PC, and installed it. If I then re-run my installer I no
longer get an error.

I'm confused. I didn't think I should have to distribute certificates,
as that seems to kind of go against the whole idea.

Am I missing something?

Regards,

Neil.

Neil,

> I'm confused. I didn't think I should have to distribute certificates, as
> that seems to kind of go against the whole idea.

Assuming that you have a valid certificate! It's their SysAdmins fault <g>.

The AddTrust External CA Root was added to the Microsoft Root CA program in
2009. Vista and above have automatic Root CA updates (but it can be
disabled by a SysAdmin) whereas the outdated NT 5.0 Family (2000, 2003, XP)
all need to update via a file ("rootupd.exe").

In other words, the Admins have disabled root certificate updates on these
specific machines. OUCH! You would be surprised on how few Windows Admins
tinker with how CA certificates are handled on end-user systems. But
without automatic CA updates the system has a very large security hole (no
Certificate Revoking List updates, etc.).

The "new" (2009+) Comodo certificates are no longer signed by "USERTrust
CA", but "COMODO Certification Authority", later renamed to "COMODO". So
the machines definitely need a CA update. That's how certificates work. In
fact, Windows is correct in this case. The certificate is invalid on these
machines to protect the users.

Friedrich

Neil,

By the way, our certificate is valid even on a completely outdated Windows
2000 machine (see attached screenshot).

Are you sure your code-signed file is not "damaged" on these machines?

Friedrich

Hi Fredrich,

This is facinating. I've never had cause to really look at how these
certificates really work, "they just do".

I think I'm going to go back to Bruce @ Capesoft with this, as the PC's
that I'm struggling with vary greatly. I've found a couple of Win XP
machines, but also several Win 7 machines. They are all stand alone
laptops, and aren't on any domain. Being kind, they users aren't IT
savvey, so it is most unlikely that they would have done anything to
disable updates.

I'm wondering if there is something in the way that Bruce uses my
certificate in Safeupdate that is causing the problem. It's just strange
that it works on some machines, and the same file will work once a root
certificate is installed.

Thanks for your help. A useful insite.

Regards,

Neil.

Neil,

You are very welcome.

BTW, if you are interested, give me access to one of the files and I will
check this here. We have quite a few different test machines with all kinds
of Windows versions.

And please keep us posted.

Friedrich

Neil,

As Friedrich says... the whole thing rests on a chain of trust.

Once you install a root certificate to which your own certificate is
related, that machine (or all machines in the Windows Domain if it's
installed into Active Directory) will trust your certificate.

Root certificates come from time to time in that wad of updates that
Microsoft pushes out on "patch Tuesday". Here's an example of one such:
http://www.microsoft.com/en-us/download/details.aspx?id=38918

I have a vague recollection that root certificates may have been in the
"optional" rather than "important" category when Windows Update runs on
XP... but probably not.

In any event, as to the mystery of "why some machines", again it's as
Friedrich pointed out. Some of your customer's machines have not been
updated. Those that are current with their Windows updates from Microsoft
won't have a problem.

Jane

Hi Friedrich,

A little update for you. I managed to setup a Windows XP VM, and I've
been doing some more experimenting.

I've signed my application, the setupbuilder installer, and the
Safeupdate .xml file with the same certificate (I only have one)

If I run my application or the installer, everything works fine, and
when I look at the properties of the exe I can see that my certificate
details show up fine.

Having installed my app, if I then try and update it using Safeupdate, I
get an error saying that the safeupdate xml file isn't trusted.

To my mind, this is definately pointing to a safeupdate problem.....but
if I install the comodo intermediate certificate on that VM, then
safeupdate works. Therefore Bruce has suggested that I ship the
intermediate certificate with my initial install.

I'm not sure if there is anything that you can see from the xml that is
created by safeupdate. I suspect that Bruce would be the only one that
would know what should be in there, but I would like to get to the
bottom of this if I can.

Regards,

Neil.

Hi Neil,

I tried to verify your XML Digital Signature but got an error. See attached
screenshot from a validated .xml file and a screenshot from your XML
validation.

Unfortunately, I don't know what might cause this in Capesoft SafeUpdate :-(

Friedrich

Hi Friedrich,

I'm experiencing the same issue as Neil where SafeUpdate is not trusting
the signed SetupBuilder installer for our applications. We purchased a new
Code Signing Certifiate from Comodo in November this year and this is when
the issue started. Our old Comodo Code Signing Certificate that we have been
using for years was working perfectly with SafeUpdate. After speaking with
Comodo they provided this information:

"Hello Trent,

Can you tell us if you import 'Comodo Code Signing CA 2' to the Intermediate
Certification's certificate folder, does the issue go away? If so, this means
your signing application is not including the full certification path when
its signing your application."

I tested only importing the 'Comodo Code Signing CA 2' certificate on a brand
new VM that I confirmed SafeUpdate could not trust the installer to upgrade
our application. After installing this intermediate certificate SafeUpdate
successfully trusted the installer to upgrade our application. According
to Comodo this means that SetupBuilder is "not including the full certification
path when its signing" our applications.

Are you able to check if there is a problem with SetupBuilder? We are using
version 8.1.

Regards,
Trent

Ahh...

Did you get your certificate as files or in Internet Explorer ?

If you exported from IE, there's an "include all certificates" checkbox
which maybe needed to be marked. (pic)

If your machine trusts Comodo, what you might do is
1. Import your certificate into your machine through IE
2. Export it as a new PFX and be sure you've included all certificates

Then try signing your app with the new PFX.

Jane

Hi Jane,

We exported our certs from IE and we made sure the "include all certs" option
was checked. We have re-imported and re-exported the PFX many times all with
the same result. Even used different browsers.

Regards,
Trent

Hi Trent,

> Are you able to check if there is a problem with SetupBuilder? We are
> using version 8.1.

This has absolutely *nothing* to do with SetupBuilder at all ;-)

Just check the generated code-signed setup.exe and you'll notice that the
signature is perfectly valid. Of course, assuming that your .pfx is okay.

Friedrich

BTW, similar to the attached one, compiled with SB81. Brand new Comodo
certificate (September 2013). The Microsoft Autenticode SignTool.exe just
needs your Personal Information Exchange .PFX file (containing private keys)
to code-sign.

Friedrich

Hi Friedrich,

No worries, just thought I would ask. Back to Capesoft now.

Regards,
Trent

Hi Trent,

>
> No worries, just thought I would ask. Back to Capesoft now.
>

Please keep us posted!

Friedrich