We have been code signing our products for years.

Today we noticed something that doesn't seem correct.

1) The install file setup.exe has the digital signatures (see attachment setup.exe.png)
2) The app.exe DOES NOT have the digital signatures (see attachment acms.exe.png)

Are we misunderstanding the output from the code-siging processes?

Thanks,
Ken Stone

Hi Ken -

I've always used the #code-sign-application directive (available under
"Compiler Directives" in the right side of the script editor window).

You can use that to code sign all of the .exe and .dll of your
application (independently of the setup.exe itself).

Look #code-sign up in the docs.

Jeff Slarve
www.jssoftware.com


Bits and Bytes are Dy-No-Myte

We are using the #code-sign-application directive (see below)

Adding Digital Certificate II (Preprocessor)...
SIGNTOOL: C:\Clarion10\Apps\Acmswin\11.00\acmswin.exe
SVER: 10.0.16299.15
SHA1: 0
SHA2: 0
Code signed successfully: C:\Clarion10\Apps\Acmswin\11.00\acmswin.exe

Ken Stone

Ken Stone,

> We are using the #code-sign-application directive (see below)
>
> Adding Digital Certificate II (Preprocessor)...
> SIGNTOOL: C:\Clarion10\Apps\Acmswin\11.00\acmswin.exe
> SVER: 10.0.16299.15
> SHA1: 0
> SHA2: 0
> Code signed successfully: C:\Clarion10\Apps\Acmswin\11.00\acmswin.exe

I hate to ask but are you doing this at the top of the script before
the files are compressed into the install?

--
Lee White

RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com

Hydrogen, the only CLEAN fuel and the future of clean air.

We are doing the app.exe Code Signing in the Initialize Setup section.

Ken Stone

>We are doing the app.exe Code Signing in the Initialize Setup section.

I have a separate script to only code-sign all EXE of our suite.

After that I send them to VirusTotal.com, select the Hashes and the URLs and
store them in a text-file. This text-file now gets added to the base-folder of
the installation, so every Admin can inspect the hashes and compare with the
installed files.

And now I compile everything together.

There is another benefit: Sometimes code-signing fails, due to problems of
connectitivity of the signing server. Then the script fails. Since the
Installer has grown now to some 100 MB and I have to make different versions of
the installer (different countries with different datasets, complete-version /
update/version - a total of 8 different installer) one after the other, its
annoying when I have to restart, just because one connection didn't work.

And I need one EXE code-signed only once!

So, consider to separate the code-signing process of the distributed binaries
from the installer itself.

Just my experience in my specific scenario
Wolfgang


Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.

Where are you seeing acms.exe not signed?

On your own computer or after using your installer to install it on a
"customer" computer?

I ask because unless you mark the Permanent checkbox on the #code-sign
application screen, SB will code-sign a copy of acms.exe, put that
code-signed copy into the installer, and leave the non-code-signed
acms.exe file on your development machine.

It should appear code-signed when the installer has installed it on a
customer computer.

JAT...

jf

Jane, thank you for pointing that out.

- We have verified and it's what you stated.

Thanks,
Ken Stone

Glad you got it sorted, Ken!

jf