Reply to Thread

Post a reply to the thread: SetupBuilder and Code-Signing

Your Message

Click here to log in

What's the name of our main installation product (in lowercase letters)?

 

You may choose an icon for your message from this list

Additional Options

  • Will turn www.example.com into [URL]http://www.example.com[/URL].

Topic Review (Newest First)

  • 04-28-2015, 04:22 AM
    linder

    Re: SetupBuilder and Code-Signing

    Tim,

    If you request a code-signing certificate then you'll always get a new one. There is no "renew" for certificates. Request a new certificate 10-14 days before your "old" certificate is due to expire and you "should" be on the safe side (but no guarantee).

    Friedrich
  • 04-27-2015, 02:52 PM
    torrid

    Re: SetupBuilder and Code-Signing

    Hi
    My certificated does not expire until June. If I renew early to make sure I get through the process, do I lose time on my cert or do they add 3 years from the current certificate's expire date?

    Is there any problem with waiting until the cert expires or will that create more work in verification?

    -Tim
  • 04-02-2015, 03:03 AM
    linder

    Re: SetupBuilder and Code-Signing

    Hi Dee,

    WOW! Very interesting. Thanks so much for sharing !!!

    Friedrich
  • 04-01-2015, 08:24 PM
    DDreslough

    Re: SetupBuilder and Code-Signing

    Hi Everybody!

    Well, I just got through the process of getting my certificate reissued with SHA2 encryption. My cert was 2 years old, and I had an interesting problem that I'd lost my original private key text file (pvk). I still had my .pfx file, which has the private key info rolled into it...so here's what I did:

    Comodo only gives you the cert part. And OpenSSL on the PC was too hard for me to figure out.

    So...
    I used a tool from DigiCert ( https://www.digicert.com/util/ ) to import my old .pfx file on my new computer.

    Then I imported the new certificate from Comodo, and the DigiCert utility said "Missing PVK information". It then offered ot search this computer to repair/complete. It found the key file information in my original .pfx file from two years ago, and Wah-Lah! I could export the new certificate as a working complete PFX. I also was able to use the tool to export a split PVK and Cert file from my original .pfx. Very handy! all I needed to remember was my password, which I'd spraypainted on the side of my house so I wouldn't lose it. (Just kidding. I spraypainted it on an interior wall, like all my passwords. I'm very security minded! )

    To give credit where credit is due, and also if people need to go ask about making a new pfx...I saw mention of that DigiCert tool on stack overflow: http://stackoverflow.com/questions/6...nd-private-key

    Our setup is all compiled and I'm testing it now. DAYS before the due date! It's a Christmas miracle!! (We really get behind in this place. )
    - Dee Dreslough, Sports Mogul Inc. Long time SetupBuilder user.
  • 05-24-2014, 12:45 PM
    Maarten

    Re: SetupBuilder and Code-Signing

    Thank you Friedrich !
    I found more information when reading on and notably the update download link for the sign tool, but nothing about the legal stuff.

    Regards,

    Maarten,
  • 05-24-2014, 03:47 AM
    linder

    Re: SetupBuilder and Code-Signing

    Maarten,

    Well, perhaps you are not aware that it is NOT allowed to redistribute signtool.exe? It's only available in the SDK. Microsoft has a very good law firm if you do the wrong thing Never ever make signtool.exe available as a download. If you do, you'll hear from their lawyers.

    BTW, the documentation is up-to-date! There is a new SHA1 or SHA2 order option for certificates now. The SB compiler will support it in a later build.

    Friedrich
  • 05-23-2014, 11:09 AM
    Maarten

    Re: SetupBuilder and Code-Signing

    This document is 5 years old. Did nothing change here. Why is it that SetupBuilder does not ship with the latest signtool.exe ??

    Regards,

    Maarten,
  • 01-27-2012, 05:56 PM
    Tom H.

    Re: SetupBuilder and Code-Signing

    I was getting what appeared to be random failures during the code signing process with SB 7.5 under Window 7, 32-bit. At times, it would even cause SB to fail/terminate.

    After some research, I have found that if I have Windows Explorer open on the default \Installs folder where my installs are built, it will fail every time. Select any other folder, and the signing step works every time.

    It seems Windows 7 puts some kind of hold or watch on the folder it is displaying, and SignTool does not like that at all. I've also run into similar issues with folders being viewed simultaneously between XP, Vista and Win 7 where you can't rename/move/delete files due to these invisible locks.

    Hope this helps someone,
    Tom H.
  • 05-04-2011, 07:53 PM
    Tom H.

    Re: SetupBuilder and Code-Signing

    Just a heads up...

    If you use Windows 7, be aware that the CAPICOM.DLL referred to elsewhere here is no longer needed in order to user SIGNTOOL.EXE for code signing. CAPICOM has been deprecated by MS for Win 7.

    All you need is a Windows 7 version SIGNTOOL.EXE now, and the simplest way to get it is to download the Windows SDK for .NET 3.5SP1 or .NET 4.

    http://msdn.microsoft.com/en-us/wind.../bb980924.aspx

    This link leads you to a small stub for the latest SDK version, so you don't need to download the entire SDK. In the installer, just uncheck everything except the 'Tools' option, and then you'll only get a small subset of the SDK that includes the Win 7 version of SIGNTOOL.EXE.

    Point SetupBuilder at SIGNTOOL.EXE, which you'll find under Program File\Microsoft SDK a few levels down in the \BIN folder.

    Tom
  • 07-16-2010, 07:48 AM
    Jane

    Re: SetupBuilder and Code-Signing

    O.D.,

    There's also a new SB tool to ease some of the pain of code-signing items you're installing - the Certificate Profiles tab on the Tools | Options window.

    It's not a "live" update. If you change your certificate password, for example, it will not automatically update every item you've configured using that profile.

    But it does make it easy to double-click any #code-sign compiler directive, then click the blue folder icon and choose the profile to update anything to the new code-sign settings.

    And, of course, it takes out a lot of the hassle of configuring code-signing for items in the first place.

    Jane
This thread has more than 10 replies. Click here to review the whole thread.

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •