Hi,

As a happy user of a great produkt I now have a couple of questions.:

1. I have set the requireAdministrator flag, but my new download (I have not
made any changes to the script for a long time).
Now the UAC suddenly kick`s in under vista and the "Allow this program to
run " (In Norwegian) pops-up every time for users updarading or installing
my software.
I also "Code signed" the install.exe using SignCode.exe.
For customers that have my app installed under vista (previous version), the
icons are now replaved with my icon and a "Windows shield" (That triggers
UAC)

2. Code signing from within Setupbuilder, I have purchased the "Comodo?"
from Lindersoft, but are unable to find any private key`s crediential files
and so forth, I`ve searched my local hard-drives without any luck, the
SignCode however finds a certificate but requiers me to do it in a 2 step
proccess (Build & Sign), lazy cw.developer as I am, I would offcourse do
this in one process :)



--
Cheers
Med Vennlig Hilsen
Tor-Bjarne Henriksen
Berghs Metall as
"We make IT easy"
Http://www.fakturaprogram.no
Http://www.winvask.no

Hi Tor-Bjarne,

> As a happy user of a great produkt I now have a couple of questions.:
>
> 1. I have set the requireAdministrator flag, but my new download (I have
> not made any changes to the script for a long time).
> Now the UAC suddenly kick`s in under vista and the "Allow this program to
> run " (In Norwegian) pops-up every time for users updarading or installing
> my software.
> I also "Code signed" the install.exe using SignCode.exe.
> For customers that have my app installed under vista (previous version),
> the icons are now replaved with my icon and a "Windows shield" (That
> triggers UAC)

Welcome to Vista <g>.

The goal of a normal "UAC-aware" application is to start with the access
token of the running account, and only request promotion to full-access
token when actually needed. This process of promotion is called "privilege
elevation", and requires that user confirms the action, before it is
actually executed. Privilege elevation is a new feature and a permanent
change to the Windows operating system.

Privilege elevation allows administrators to run the majority of their
applications at a safe privilege level, but also allow processes and
operations that require administrative privileges. UAC supports
"over-the-shoulder" authentication so that an Administrator can grant
elevated privileges to a program while a Standard User is currently logged
onto the system.

Elevation prompt can be either a simple Continue/Cancel dialog (Admin
approval mode) or a fully fledged log-in dialog (users must explicitly enter
their credentials), depending on the type of the running account and
security settings. There are a couple of variations of the prompt, depending
on whether executable is digitally signed or not. Vista encourages use of
digital signatures by displaying a "nicer" elevation prompt for signed
executables than unsigned ones.

The following details the elevation prompt color-coding:

* Red background and red shield icon: The application is from a blocked
publisher or is blocked by Group Policy.

* Blue/green background: The application is a Windows Vista administrative
application, such as a control panel.

* Gray background and gold shield icon: The application is Authenticode
signed and trusted by the local computer.

* Yellow background and red shield icon: The application is unsigned or
signed but not yet trusted by the local computer.

The elevation prompt under Vista (with UAC enabled) is displayed for all
applications that request administrator execution level privileges. Even
for Vista's own applications and functions (e.g. Change Date/Time).

> 2. Code signing from within Setupbuilder, I have purchased the "Comodo?"
> from Lindersoft, but are unable to find any private key`s crediential
> files and so forth, I`ve searched my local hard-drives without any luck,
> the SignCode however finds a certificate but requiers me to do it in a 2
> step proccess (Build & Sign), lazy cw.developer as I am, I would offcourse
> do this in one process :)

You need the .spc/.pvk (for SignCode) -OR- .pfx (for SignTool). Both
options are supported in SetupBuilder.

If you can't find any of the files, please see this:
http://www.lindersoft.com/forums/showthread.php?t=8279
http://www.lindersoft.com/forums/showthread.php?t=9498
http://www.datadownunder.com.au/lindersoft/ComodoPurchaseDemo.html

Does this help?

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

By the way, if the elevation prompt did not kick in under Vista in your
previous installations, then you did not request administrator execution
level privileges. In other words, it was not possible to handle operations
that require administrative privileges (e.g. write to the Program Files
folder, write to HKEY_LOCAL_MACHINE, etc.).

I noticed the following in your post:

> I also "Code signed" the install.exe using SignCode.exe.

I hope you are using the built-in code-signing (General Properties ->
Digital Signature) and you do *not* code-sign the setup.exe manually, right?
Never ever code-sign the setup.exe manually.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

Eh... OBS.. I Code signed the setupfile manually (Ony way I got it working
(How I hate this code signing shit, I just want to build an install <g>))

I`ve done this for a long time! - Why not ?

Cheers
Tor-Bjarne

My sentiments too.
--
---
Best Regards,
Earl R Coker
www.kwiksystems.net
www.kwiksystems.com
www.kwiksystems.net/appshell/index.htm
www.kwiksystems.net/ClarionTemplates.htm (BigTamer(tm) Templates)

Hi Tor-Bjarne,

> Eh... OBS.. I Code signed the setupfile manually (Ony way I got it working
> (How I hate this code signing shit, I just want to build an install <g>))
>
> I`ve done this for a long time! - Why not ?

1. If you code-sign manually, then your uninstall application is not
code-signed (and this is a requirement under Vista and Windows Server 2008).

2. If you have enabled the "Installer Integrity Check" feature (General
Properties), then you'll always receive a "corrupted" installation error.
So I assume you are not using this valuable integrity checking feature.

The main reason for not code-signing your setup.exe manually is, that you
don't have a Vista/2008 compatible uninstall. Depending on specific group
policy settings on the target Vista/2008 machine, it's possible that the
uninstall does not start at all.

Last year, SetupBuilder 6.5 Build 1840 (April 19, 2007) introduced the
following:

> FEATURE : Add on-the-fly "Uninstall Code-Sign Replication" feature
> to code-sign your uninstall application at runtime on the
> target machine. (Developer Edition only).

Hope this helps.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

Hi ,

Do I need to "Code-sign" all my exe files to for Vista? I`ve just signed the
actuall setup.exe ?

What is so strange is that I`ve had this application of mine installed under
several Vista installations without any shields and UAC questions, then
after my latest release it started displaying those shields :)

After some search on your forum I was able to export a *.CER file and a
*.PFX file, but the *.PVK file I found no means to export.

Do the errors dissapear if I ask the user to turn of "User Acces Problems" ?

Hmmm .. needless to say I stay on XP-Pro personaly as long as possible :)


--
Med Vennlig Hilsen
Tor-Bjarne Henriksen
Berghs Metall as
"We make IT easy"
Http://www.fakturaprogram.no
Http://www.winvask.no

Tor-Bjarne,

> Do I need to "Code-sign" all my exe files to for Vista? I`ve just signed
> the actuall setup.exe ?

Yes, you really should code-sign all your own application files (.exe, .dll,
..ocx, etc.)

> What is so strange is that I`ve had this application of mine installed
> under several Vista installations without any shields and UAC questions,
> then after my latest release it started displaying those shields :)

Yes, because you did not request administrator execution level privileges
and so your installation did not have access to restricted areas (e.g.
Program Files folder, HKEY_LOCAL_MACHINE registry, no registration of file
extensions, etc.). It's even impossible to add an uninstall entry to the
Add/Remove Program Panel (called "Program and Features" under Vista/2008) if
your installation does not run elevated.

And it would be even worse if you had an installation that was not
Vista-aware. In this case, virtualization for legacy application kicked in
(behind the scenes).

BTW, you can change "Requested Execution Level" to asInvoker (General
Properties) and you'll not see an elevation prompt any longer. Please note
that you don't have access to restriced Vista areas if you do this.

Does this help?

> After some search on your forum I was able to export a *.CER file and a
> *.PFX file, but the *.PVK file I found no means to export.
>
> Do the errors dissapear if I ask the user to turn of "User Acces Problems"
> ?

I assume you mean UAC (User Account Control). Most of your users will never
ever disable UAC, so you really should not ask your users to disable UAC.
Some Windows features do not work any longer if UAC is disabled. For
example, the "Protected Mode" feature in Internet Explorer 7 that lets the
browser run in a sandbox with lower privileges than the standard user,
relies on UAC (and will not function if UAC is disabled).

You don't have an alternative. You have to provide a Vista-aware and Vista
compatible installation and application. Privilege elevation is a
*permanent* change to the Windows operating system. Windows 7 (MS1 release)
also has it built-in.

>
> Hmmm .. needless to say I stay on XP-Pro personaly as long as possible :)
>

Vista is not that bad :)

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

Hi,

Thanks a lot Fredrich, your answer clarified a lot :)

When I use the Code-sign in setupbuilder will it just code-sign the
uninstaller and installer, or will it automaticly code sign DLL`s , EXE`s
and so forth ?

No, my previous installation had a manually code-signed setup.exe, but users
can have switched UAC on, downloaded a ms-patch since that, for all I know
:)

I dont use Registry, or acces \programfiles\ or \windows\ I drop everything
into my own folder(I have offcourse several sub-folders for example .\data\,
and the customer`s love the fact thay can copy the program to another disc,
pc, or even a memory-stick double click on the Start.exe and be working
again without any hassle :)

I agree Vista is not all bad, but back in my field engeneer days, we used to
say "If it is not broken, dont fix it" <g>, the Sandboxfeature (and my guess
a lot more) is cool, but if I asked one of my Clients I have some new cool
features to you, you will of course have a lot of problems with all your
other non ms-software, would you like to buy it?, I would be thrown out ;)

Again thank you for your excelent support !!

Cheers
Tor-Bjarne

Hi Tor-Bjarne,

> Thanks a lot Fredrich, your answer clarified a lot :)
>
> When I use the Code-sign in setupbuilder will it just code-sign the
> uninstaller and installer, or will it automaticly code sign DLL`s , EXE`s
> and so forth ?

SetupBuilder cannot decide for you which files have to be code-signed. But
SetupBuilder can code-sign your application files for you.

Just use the "#code-sign application..." directive and you are done.

> No, my previous installation had a manually code-signed setup.exe, but
> users can have switched UAC on, downloaded a ms-patch since that, for all
> I know :)

But I am sure, it did not have a code-signed uninstall.exe ;-)

> I dont use Registry, or acces \programfiles\ or \windows\ I drop
> everything into my own folder(I have offcourse several sub-folders for
> example .\data\, and the customer`s love the fact thay can copy the
> program to another disc, pc, or even a memory-stick double click on the
> Start.exe and be working again without any hassle :)

If you don't use the Registry (e.g. to register file extensions, to register
your uninstall into the Add/Remove Programs panel, etc.) then you don't need
administrator execution level privileges in your installation. Change
"Requested Execution Level" to asInvoker (in the General Properties) and
Vista will not display an elevation prompt for your installation.

Does this help?

> I agree Vista is not all bad, but back in my field engeneer days, we used
> to say "If it is not broken, dont fix it" <g>, the Sandboxfeature (and my
> guess a lot more) is cool, but if I asked one of my Clients I have some
> new cool features to you, you will of course have a lot of problems with
> all your other non ms-software, would you like to buy it?, I would be
> thrown out ;)

I know what you mean ;-) But UAC is a Vista feature and you have to follow
the new rules. Your installation *and* application have to be Vista-aware
(aka UAC-aware). If you don't follow the new rules then you'll have a
support nightmare soon.

We have invested 18 months of hard work (research and development) to make
SetupBuilder Vista and Server 2008 compatible. In the end, it was worth it
:)

>
> Again thank you for your excelent support !!
>

You are very welcome.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

Hi,

Ok I will Vista aware it as I`m putting some file ekstentions in, but .:

After some search on your forum I was able to export a *.CER file and a
*.PFX file, but the *.PVK file I found no means to export.

I know you are only a dealer of the Comodo, can you point me in the right
direction or do I have to get Comodo support ?

and again thank you :)


--
Cheers
Med Vennlig Hilsen
Tor-Bjarne Henriksen
Berghs Metall as
"We make IT easy"
Http://www.fakturaprogram.no
Http://www.winvask.no

Tor-Bjarne,

> Ok I will Vista aware it as I`m putting some file ekstentions in, but .:
>
> After some search on your forum I was able to export a *.CER file and a
> *.PFX file, but the *.PVK file I found no means to export.
>
> I know you are only a dealer of the Comodo, can you point me in the right
> direction or do I have to get Comodo support ?
>
> and again thank you :)

Well, we are a Comodo "partner", not a "dealer" <g> A dealer makes money
with goods.

If you have the .PFX then you are nearly there. You can use .PFX in
SetupBuilder.

http://www.lindersoft.com/forums/showthread.php?t=2202&highlight=signtool.exe

Does this help?

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

No my application is Code-Signed!! and hopefully not afraid of Vista anymore
:)

Thank you for your splended support!!

If I ever whined anyplace, I was drunk <g>

Thanks again

--
Cheers
Med Vennlig Hilsen
Tor-Bjarne Henriksen
Berghs Metall as
"We make IT easy"
Http://www.fakturaprogram.no
Http://www.winvask.no

Due to MS great success in protecting the user from hurting himself with the
newly created Vista, I join the success and create a CAR in the same
fasion.:

1. It has a great engine, but will not let you pass the speed limit (You can
hurt yourself and others)
2. It wont start unless you are using the seat belt.
3. After 30 km pr day it will stop, so you dont make an impact on the
enviroment (This also save money for you, only a great option)
4. If your tires are starting to wear out it will stop.
5. If you are closing a big city with lot of traffic anf potentionally
danger for you it will stop.
6. If it is a long time since you had service, it will call the repearshop
itself.
7. If you sleep to leng it will wake you with a honk.
8. If you get to heavy, it wont start, you have to go get some well needed
training.
9..
10..

I recon I sell a lot of cars <g>

--
cheers
Med Vennlig Hilsen
Tor-Bjarne Henriksen
Berghs Metall as
"We make IT easy"
Http://www.fakturaprogram.no
Http://www.winvask.no