Reply to Thread

Re: How do I code sign my installer when all I have is a .crt security certificate?

Perfect! I am glad it's working fine now. Thanks for the update.

Friedrich

Re: How do I code sign my installer when all I have is a .crt security certificate?

Oops. My mistake. It's working now.


Thank you Friedrich!

Re: How do I code sign my installer when all I have is a .crt security certificate?

Hello,

You are using the "Global SHA-1 & SHA-2 dual" code-signing method. This will ignore the configuration information in "General Information" (or #code-sign application... directive). You did not define the certificate in the "Options" screen (-->"Global Personal Information Exchange File (PFX)" field. Please add both the .PFX file and its password.

And to handle dual SGA-1/SHA-2 signing, you need SHA-1 and SHA-2 compatible timestamp servers.

Use this for SHA-1: http://timestamp.comodoca.com/authenticode
Use this for SHA-2: http://timestamp.globalsign.com/?signature=sha2

Does this help?

Friedrich

Re: How do I code sign my installer when all I have is a .crt security certificate?

I'm not the one who purchased the cert, but I'm pretty sure we purchased the correct one. We were able to get a .P12 using Firefox. I changed the extension to .PFX, but now I'm getting a compiler warning and error:

------ Build started: Project: GrowPro.sbp, Configuration: Release Win32 ------

------ SetupBuilder (tm) Project Script Compiler and Linker for Windows
------ Copyright (c) 1997-2016 Lindersoft
------ SetupScript (tm) Installation Script Language
------ Copyright (c) 2003-2016 Lindersoft
------ All rights reserved.

------ Developer Edition Version 10.0.5204
------ SetupBuilder (SB/EXE) Compiler Version 10.0.5204
...
Processing Uninstall Code-Signing...
Adding Digital Certificate to Uninstall...
Resolve CSI...
SIGNTOOL
SVER: 10.0.10240.16384
SHA1: 1
SHA2: 2
Compiler warning GEN1061: File not found:
Compiler error GEN1053: Code signing process failed. Error Code: 2


Attachment 4360Attachment 4361

Re: How do I code sign my installer when all I have is a .crt security certificate?

Hello,

Microsoft SignTool.exe needs a certificate in form of .PFX. So you have to export it to .PFX or .P12 (and rename to .PFX). A certificate in form of .PVK is for SignCode.exe (and old SHA-1 based certificates) only.

https://support.comodo.com/index.php...icates-windows

BTW, are you sure that you have a valid code-signing certificate? After collecting a certificate from Comodo it will make it directly into your Internet Explorer certificate store and then you can export it to the required .PFX. It's not a SetupBuilder "requirement"; Microsoft Authenticode needs the certificate in form of a standard .PFX.

Friedrich

Re: How do I code sign my installer when all I have is a .crt security certificate?

When I try to import my .crt into Personal it doesn't work. It imports to Other People (Company?). Exporting from Other People does not give the option for exporting to pvk. Will SetupBuilder work with my code-signing certificate purchased from Comodo?

Re: How do I code sign my installer when all I have is a .crt security certificate?

Similar to this:

http://www.lindersoft.com/Comodo2014.pdf

See page 11+

Friedrich

Re: How do I code sign my installer when all I have is a .crt security certificate?

No, "pvk to pfx" is not an option here because all new certificates are SHA-2 based and not in form of a spc/pvk. You have to export it (from your certificate store) to a .pfx or .p12 (Firefox). If you export to a .p12 then just rename to .pfx and you are done.

Does this help?

Friedrich

Re: How do I code sign my installer when all I have is a .crt security certificate?

It helps put me in the right direction. Do I need to do this export function from certificates area of internet options on my system?

Re: How do I code sign my installer when all I have is a .crt security certificate?

Definitely points me in the right direction. I'm seeing conflicting answers on how to export to .pfx. What do you suggest? This?