Reply to Thread

Post a reply to the thread: Large Setup cannot be code-signed

Your Message

Click here to log in

What's the name of our main installation product (in uppercase letters), directly followed by the current year?


You may choose an icon for your message from this list

Additional Options

  • Will turn into [URL][/URL].

Topic Review (Newest First)

  • 09-17-2019, 05:01 AM

    Re: Large Setup cannot be code-signed

    Perfect! Thanks for the good news

  • 09-16-2019, 05:43 PM

    Re: Large Setup cannot be code-signed

    Thanks again.
    I went ahead with the web install/update and that is working perfectly. The exes get code-signed and everything else in bin files all of it on a secure web server. Client is happy and is now changing their licensing requirements.

    Chris C
  • 08-10-2019, 04:29 AM

    Re: Large Setup cannot be code-signed

    Hi Chris,

    You can only code-sign executables. It is not possible to Authenticode code-sign data files. But SetupBuilder has its own fingerprint technology:

    Enable Installer Integrity Check—SetupBuilder supports an Archive Fingerprint Verification algorithm. The advantage of this feature is to offer a layer of protection between the creator of an installation file and the recipient. The purpose of fingerprint verification is to help provide detection of tampered, hacked, and incomplete or virus infected installation files. If your installation executable supports fingerprint verification, the recipient knows that the installation file received is the file that was sent. If the installation file has failed the fingerprint verification, the contents are suspect. This option requires that you build a single file setup.exe installation executable or a "Custom (for UAC-aware systems)" Media Type Generator Setting with single .bin volume.

    So if you code-sign your executable, the data is 100% safe. The same is true for Web Updates. You code-sign the main executable and all cluster files have their own fingerprint verification.

  • 08-09-2019, 01:28 PM

    Re: Large Setup cannot be code-signed

    It was my pleasure; besides I got a rock solid SSL installer DL and update out of it.

    Yes, I agree and I'm trying to get my client to understand. BUT "EVERYTHING MUST BE CODE-SIGNED"
    Can I do that after the fact? - after the UAC Aware setup package is created? (might be worth a try)

    And what about the Web Install - Can that be successfully signed? Can I sign all the bin files?

    I also thought of not including the data in the initial install, but have it as the first update.

    Yes, It helped to know that I'm not going mad, Thanks,
  • 08-09-2019, 02:56 AM

    Re: Large Setup cannot be code-signed

    Hi Chris,

    thanks again for all your SSL help !!! It's working rock solid now.

    Unfortunately, the code-signing problem is not caused by SetupBuilder. It's a well know limitation of Windows. It depends on quite a few factors, e.g. Windows version, patch level, available resources, etc.

    To cut a long story short, it's not a good idea (and even impossible) to code-sign very large executables (>1.3GB).

    See (performance):

    And this (no icon and file properties):

    Using the "Custom (for UAC-aware systems)" option is the way to go.

    Does this help?

  • 08-08-2019, 03:47 PM

    Large Setup cannot be code-signed


    First THANKS! for adding SSL support that seems to work perfectly. and now I have to release 2019 version.

    I have a large setup file (1.7 GB) that refuses to be code-signed.
    It's demo version (175 MB) works fine.
    AND I can code-sign the setup using signtool - so that means that the AV isn't getting in the way and the timestamp server is working.
    Here's my signtool line -
    signtool sign /f "D:\Users\Pop\Documents\Security\Codesign_2021.pfx " /p xxxxxxxxxxx /t /d "Hand crafted software for business and research" /du "" "D:\Users\Public\SetupBuilder Projects\pcgarwV9_2019\su_pcg_si_Full_4.1.15.190.e xe"

    When I get the exe down below 300MB, it SB codesign works.

    I just noticed - There is a note on the MS site Signtool page that says if the exe is over 300MB a Catalog should be used instead of signtool.

    Chris C

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts