Just got a brand new cert for code signing and decided to start using
SignTool rather than SignCode since I now have .pfx file - but no luck!

I have set the location of SignTool.exe in >Tools >File Locations and
also entered the path to my pfx file.

This is what I get when compiling:

Adding Digital Certificate (Preprocessor)...
SIGNTOOL: C:\Dev\bla\MyDLL.dll
SHA1: 1
Compiler error GEN1053: Code signing process failed. Error Code: 1

It does work from a command prompt when I do:

C:\> signtool sign /fd SHA512 c:\Dev\bla\MyDLL.dll

The file gets signed (but not timestamped) and it correctly shows sha512
in the signature properties where it said md5 before.

So my question is: how do I 'configure' SignTool to use sha-2 from
inside SB?

Peter

Hi Peter,

> So my question is: how do I 'configure' SignTool to use sha-2 from
> inside SB?

See: http://www.icetips.com/showarticle.php?articleid=1566&productID=0

I think what you may be missing are the #pragma statements:

#pragma CODESIGN_SHA = "12"
#pragma CODESIGN_TSSHA1URL = "http://timestamp.comodoca.com/authenticode"

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

Thank you! I had completely forgotten about #pragma. Something is
different, now I'm getting error code 22 (whatever that means - those SB
error codes seem to be a well kept secret) but it may be due to a too
old version of SignTool. But at least I've got something to work with now.

Thanks again.

Peter

Hi Peter,

> Thank you! I had completely forgotten about #pragma. Something is
> different, now I'm getting error code 22 (whatever that means - those
> SB error codes seem to be a well kept secret) but it may be due to a
> too old version of SignTool. But at least I've got something to work
> with now.

Yes, Friedrich keeps them secret so he doesn't have to shoot us<g>
Seriously I don't know if I've found them anywhere - it's not at all
common to get error codes in SB so every time we get one we are lost<bg>

I got version 6.3.whatever with the Windows 8.1 SDK that I downloaded in
August last year (2015) Here it is:

https://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

That is the one for Windows 8.1. By default it goes into:

c:\Program Files\Windows Kits\8.1\bin\x86\

and there you will find signtool.exe. This one is version 6.3.9600.17298

For windows 10 SDK: https://dev.windows.com/en-us/downloads/windows-10-sdk

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hmmm .. Found a newer version of SignTool.exe. What does error code 22
mean anyway?

Peter

> That is the one for Windows 8.1. By default it goes into:
>
> c:\Program Files\Windows Kits\8.1\bin\x86\
Yup, that's where I found it.
>
> and there you will find signtool.exe. This one is version 6.3.9600.17298
And that's what I have, too.

I guess I'll have to wait for Friedrich to reveal the secrets about code
22 tomorrow <g>

Thanks for trying.

Peter

Hi Peter

I recall having problems switching from .SPC and .PVK files with SignCode in several
projects.

What I found I had to do was clear those fields out of the SB IDE for each project,
then save and close.

Come back in and set the .PFX and save again and close.

Then it started to work. But that was back in SB7 or SB8.

JohnG

Thank you, John. I'll try that.

Peter

> Yes, Friedrich keeps them secret so he doesn't have to shoot
> us<g> Seriously I don't know if I've found them anywhere - it's
> not at all common to get error codes in SB so every time we get
> one we are lost<bg>

Signtool returns "0" if the execution was successful and <> "0" if it
failed. "22" doesn't mean anything, just "failed" <g>.

Friedrich

Peter,

> I guess I'll have to wait for Friedrich to reveal the secrets about
> code 22 tomorrow <g>

Signtool returns "0" if the execution was successful. So "22" means
"failed" <g>.

Friedrich

Peter,

You have to use #pragma CODESIGN_SHA to set the supported code-signing
Secure Hash Algorithm. Set Value to 1 to support SHA-1 (the default). Set
Value to 2 to support SHA-2. Set Value to 12 to support hybrid SHA-1/SHA-2.
You need SignTool.exe version 6.2.9200.16384 or later.

http://www.lindersoft.com/forums/showthread.php?46908-SB10-Tips-amp-Tricks-1-Dual-SHA-1-SHA-2-code-signing

Friedrich

https://www.oikoumene.org/en/press-centre/news/wcc-general-secretary-congratulates-desmond-tutu-on-receiving-templeton-prize/image

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff Slarve,

>> So "22" means "failed"

> wcc-general-secretary-congratulates-desmond-tutu-on-receiving-templeton-prize

You said tutu!<g>

Lee White

<G>

Friedrich

Friedrich,

> You have to use #pragma CODESIGN_SHA to set the supported code-signing
> Secure Hash Algorithm. Set Value to 1 to support SHA-1 (the default). Set
> Value to 2 to support SHA-2. Set Value to 12 to support hybrid SHA-1/SHA-2.
> You need SignTool.exe version 6.2.9200.16384 or later.

I'll be the devil's advocate<g> here and ask the question. Why aren't
these pragma's simply checkbox or radio button options in the SB IDE?!

Even better, a global option that works on all scripts without having
to edit each script manually.

( ) Global SHA-1 only
( ) Global SHA-2 only
(*) Global SHA-1 & SHA-2 dual

Global Timestamp Server: ________________________________

[x] Override all specific signature uses



Hey, SOMEONE had to ask!!!<g>

Lee White

Lee,

> I'll be the devil's advocate<g> here and ask the question. Why aren't
> these pragma's simply checkbox or radio button options in the SB IDE?!
>
> Even better, a global option that works on all scripts without having
> to edit each script manually.
>
> ( ) Global SHA-1 only
> ( ) Global SHA-2 only
> (*) Global SHA-1 & SHA-2 dual
>
> Global Timestamp Server: ________________________________
>
> [x] Override all specific signature uses
>
>
>
> Hey, SOMEONE had to ask!!!<g>

It's a good question ;-) Thanks for asking. Because quite a few companies
are doing completely automated (nightly) builds and have to set the #pragma
values at compile time, not design time. They are using the same project
file to create completely different setups -- all fully automated. This
can't be done with checkbox or radio button options. Some companies are
using completely different code-signing certificates for individual
projects. It would be impossible to handle this with a global option.

Previous SetupBuilder versions did not know nothing about SHA-2 or dual
SHA-1 & SHA-2 or SHA256 timestamp servers and so new compiler switches were
required to handle it.

Why not simply create an include script (e.g. sha1_sha2.sbi) and set the
required pragmas. Then add this include script to all your project(s) that
support SHA-1/SHA-2?

Friedrich

Hi Lee, Friedrich,

> I'll be the devil's advocate<g> here and ask the question. Why aren't
> these pragma's simply checkbox or radio button options in the SB IDE?!

I wish there was easier way to set this for a script or for all scripts
- with options to override. I have just gone through about 20 scripts
to make sure they are all set up correctly. Every script I have has at
least one #code-sign statement in addition to the settings for the
installer itself. So I have had to go into at least two places in every
script to make sure everything is right. It gets tedious...;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> I wish there was easier way

Don't we all!<g>

Does the attached screen capture look correct for dual signing?

Lee White

Of course you future proofed them this time with an .sbi?<g>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Hi Lee,

> Does the attached screen capture look correct for dual signing?

That's how mine looks like...



Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> That's how mine looks like...

Good enough for me, thanks.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Hi Jeff,

> Of course you future proofed them this time with an .sbi?<g>

Hmm... How would using .sbi files help? I use several .sbi files in my
installs, but I can't see how that would help since each install code
signs different files. As far as I see it would just mean changing the
setting in different .sbi files instead of changing the setting in
different .sbp files.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

If re-usable code is not viable in this circumstance, then never mind.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Arnor,

> Hmm... How would using .sbi files help?

For the #pragma statements... just in case they change next year and
force everyone to go to SHA3!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Friedrich,

> It's a good question ;-) Thanks for asking. Because quite a few companies
> are doing completely automated (nightly) builds and have to set the #pragma
> values at compile time, not design time.

Forgive me BUT<g> they could simply NOT use the options and -I- could!

> Why not simply create an include script (e.g. sha1_sha2.sbi) and set the
> required pragmas. Then add this include script to all your project(s) that
> support SHA-1/SHA-2?

Because I'm extremely lazy and want YOU to do the work!!!<g>

By the way, that's how I'm doing it - just in case MS decides that
SHA-3 must be used next month!!!!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

Hi Lee,

>
> Forgive me BUT<g> they could simply NOT use the options and -I- could!
>

<g> Okay, I see ;-) I gave it some thoughts, I think it would be possible
to add a new "global" IDE option.

( ) Use SHA configuration from project
( ) Global SHA-1 only
( ) Global SHA-2 only
(*) Global SHA-1 & SHA-2 dual


Global .PFX Certificate : ________________________________
Global .PFX Password : ________________________________
Global SHA-1 Timestamp Server: ________________________________
Global SHA-2 Timestamp Server: ________________________________

If the above IDE configuration is set to "Global", then the compiler uses it
for all projects.

>> Why not simply create an include script (e.g. sha1_sha2.sbi) and set the
>> required pragmas. Then add this include script to all your project(s)
>> that support SHA-1/SHA-2?
>
> Because I'm extremely lazy and want YOU to do the work!!!<g>

And that is a good idea <g>

Thank you for your suggestion!

Friedrich

Jane Fleming

<BG> ;-)

Friedrich

Hi Jeff,

> If re-usable code is not viable in this circumstance, then never mind.

I realized that I do have an exe that I still distribute with several of
my installs that I could have plopped into a .sbi. Didn't really think
of using a one liner sbi;)

Each of my third party installs includes 7 .sbi files that mostly handle
settings for the various Clarion versions, etc. anywhere from about 20
to 250 lines of SB code.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

> It's a good question ;-) Thanks for asking. Because quite a few companies
> are doing completely automated (nightly) builds and have to set the #pragma
> values at compile time, not design time. They are using the same project

How do you set pragmas at compile time?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

> Each of my third party installs includes 7 .sbi files that mostly handle
> settings for the various Clarion versions, etc. anywhere from about 20
> to 250 lines of SB code.

On our Generic SetupBuilder super installer, we have several places in the
INI file where we can specify the names .sbi files unique to that product.

Then we load the data into the installer from the INI (what doesn't get
passed to it by Build Automator<g>) and evaluate it in the generic script
to see if the [named] .sbi file gets included or not.

See attached.


:-)

Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.solidsoftware.com - ImageEx and RichReport templates!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

> How do you set pragmas at compile time?

Wrap it in a #ifcompvar conditional statement (like we do with our
conditional include scripts in my last post example)?

I think that should work.


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.solidsoftware.com - ImageEx and RichReport templates!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Hi Friedrich,

I think I've done everything, but still not coming right with signing with SHA 2 (we'll get to dual signing if need be, but first port of call is to get SHA2 working).

Signtool works on it’s own:


Interestingly the report shows an SHA1 hash, but I think this is a typo, as the properties are SHA2:



But using SetupBuilder 10 with script modifications:





Certificate:



Correct version of Signtool:





Result is it’s failing:



Help. I’m at a loss. I cannot see what I’m missing. Any pointers to things I could have missed?

Thanks

Geoff

Hi Geoff,

> I think I've done everything, but still not coming right with signing
> with SHA 2 (we'll get to dual signing if need be, but first port of
> call is to get SHA2 working).

as far as I can see, you would like to support only Windows 7 SP1 and
higher. No support for Windows 7, Vista, XP and all the other Server 200x
operating systems, right? Otherwise, you should "dual" SHA-1/SHA-2
code-sign your files.

I think you forgot to enable support for SHA-2 timestaming (set pragma
CODESIGN_TSTYPE to 1). You need a SHA-2 timestamp!

Does this help?

Friedrich

Oh, this would be nice! :)

Thanks when you do this!


Craig E. Ransom
Tracker Software Products, Ltd.
http://tracker-software.com/

> Oh, this would be nice! :)
>
> Thanks when you do this!

It will be available in the next maintenance release :-)

Friedrich