I've implemented the dual signing process here:
http://www.lindersoft.com/forums/showthread.php?46908-SB10-Tips-amp-Tricks-1-Dual-SHA-1-SHA-2-code-signing

and my apps are showing SHA1 & SHA2 certificates - great!
and they report during my SB project compile:
SIGNTOOL
SVER: 6.3.9600.17298
SHA1: 0
SHA2: 0

But when it gets toward the end it's failing:
Adding Digital Certificate to Uninstall
Resolving CSI...
SIGNTOOL
SVER: 6.3.9600.17298
SHA1: 1
SHA2: 2
Compiler error GEN1053: Code signing process failed. Error Code: 2

And it stops there.....
So is the ErrorCode a signtool code or a SB code?

What am I missing here?

Paul MacFarlane

Paul,

> And it stops there.....
> So is the ErrorCode a signtool code or a SB code?
>
> What am I missing here?

Assuming that you have the correct certificate configuration information in
your project settings for setup.exe signing. Your protection software
decided to block access to the timestamp server (false-positive bug). As a
result, SHA-1 and SHA-2 signing failed. Try to put your SignTool.exe to the
exclusion list of your protection software.

But I would suggest to re-check the certificate configuration first (e.g.
the code-signature password).

Hope this helps.

Friedrich

Why would it be successful in signing my applications then fail signing
the uninstaller ?

Here's the project cert setup which seems to work for my EXEs.

Also,
I setup some certificate profiles for SHA1and SHA2. When are those used?

Paul MacFarlane

Paul,

> Why would it be successful in signing my applications then fail signing
> the uninstaller ?

If you have the certificate configuration wrong for your setup.exe signing
(e.g. password) and correct for your own .EXE/.DLL signing, then only
setup.exe signing fails. Or if your protection software (real-time
monitoring) does not like the contents of your setup.exe then code-signing
fails (false-positive bug). To fix a false-positive bug, you can try to put
the SignTool.exe to the exclusion list. If this does not help, put the
<user>\Application Data\Lindersoft\SetupBuilder 10 to the exclusion list.

>
> Here's the project cert setup which seems to work for my EXEs.
>

The screenshot you posted is for your SETUP.EXE signing! I would suggest to
re-check the password.

> Also,
> I setup some certificate profiles for SHA1and SHA2. When are those used?

You can store your code-signing certificate in the IDE and then use the
pre-defined configuration in your projects (browse button) to avoid copy and
paste actions. See attached screenshots.

Friedrich

Okay - so I had changed the certificates in the project settings (and
the private key is the same from SHA1 to SHA2)....
So, I did not re-type it.....

Per your suggestion of it being wrong I re-typed it in and its now working!
So, does the IDE 'void" the password when you change the files?

Next Q:
In my SB Script I code sign several files during the build. (picture)
The #code-sign screen references the SHA1 setup.....

but the EXE is signed dual signed (picture)......

So does the #pragma CODESIGN_SHA = "12" override everything using the
project cert settings for SHA2 and
TSSHA1URL for SHA1 ? Does that mean it's signing with the project cert
and ignoring the settings under #code-sign ?

A little confusing.....

Paul MacFarlane

> In my SB Script I code sign several files during the build. (picture)
> The #code-sign screen references the SHA1 setup.....
>
> but the EXE is signed dual signed (picture)......
>
> So does the #pragma CODESIGN_SHA = "12" override everything using the
> project cert settings for SHA2 and
> TSSHA1URL for SHA1 ? Does that mean it's signing with the project cert
> and ignoring the settings under #code-sign ?
>
> A little confusing.....

You have the following:

#pragma CODESIGN_SHA = "12"

You instructed the compiler to handle "dual" code-signing (set Value to 1 to
support SHA-1 (the default) -- set Value to 2 to support SHA-2 -- set Value
to 12 to support "dual" SHA-1/SHA-2).

Okay, because you told the compiler to do dual code-signing, you have
defined the SHA-2 timestamp in "Timestamp URL" (project properties for your
setup.exe and '#code-sign application' directive for your own files).
Because you need a separate SHA-1 compliant timestamp server for your SHA-1
signature, you have to define it. You are doing this with #pragma
CODESIGN_TSSHA1URL

Friedrich

>> So does the #pragma CODESIGN_SHA = "12" override everything using the
>> project cert settings for SHA2 and TSSHA1URL for SHA1 ? Does that
>> mean it's signing with the project cert and ignoring the settings
>> under #code-sign ?

BTW, #pragma CODESIGN_SHA = "12" does not "override" everything. It just
tells the compiler what to do. For example: use your SHA-2 based
certificate to add a SHA-1 signature (CODESIGN_SHA = "1") -or- use it to add
a SHA-2 signature (CODESIGN_SHA = "2") -or- add dual signatures
(CODESIGN_SHA = "12").

Friedrich

I guess my confusion is that my #code-sign entries have the SHA1
parameters entered but they are getting dual signed...
everything is dual signed .......

So, to me it looks like it's using the SHA1 timestamp info from the
pragma, the SHA2 info from the project settings,
and dual signing everything...

Paul MacFarlane

Paul,

> I guess my confusion is that my #code-sign entries have the SHA1
> parameters entered but they are getting dual signed...
> everything is dual signed .......

What are SHA-1 "parameters"? You only do SHA-1 signing (the default method)
if #pragma CODESIGN_SHA is NOT set or if set to "1".

> So, to me it looks like it's using the SHA1 timestamp info from the
> pragma, the SHA2 info from the project settings,
> and dual signing everything...

If you set #pragma CODESIGN_SHA = "12" then the compiler will use your SHA-2
based certificate to perform "dual" code-signing (both SETUP.EXE and your
own files). #pragma CODESIGN_TSSHA1URL sets the required SHA-1 timestamp
server.

Friedrich

Friedrich,

Dug a little deeper.....

My app that is signed via #code-sign and has the old SHA1 certificate is
getting dual signed - but not with the new SHA2 certificate.
It's showing up with SHA256 in the details but not until I look at the
certificate do I see its using the old (SHA1) one....

So I'll change the #code-sign settings to the new SHA2 certificate, but
I see potential for confusion....

I guess I assumed that I wouldn't get a SHA2 signature from the SHA1
certificate.

Paul

Paul,

> I guess I assumed that I wouldn't get a SHA2 signature from the SHA1
> certificate.

I agree, it is confusing.

See attached screenshots. This happens if you use a SHA-1 based certificate
to handle "dual" SHA-1/SHA-2 code-signing. The file has two signatures, but
the SHA256 one is a SHA-1 one in reality. As a result, Windows will report
"The signature of yada is corrupt or invalid."

Friedrich