Dual signing MSI file

Printable View

07-28-2016, 11:06 AM
NewsArchive

Dual signing MSI file

Hi all,

I have an old MSI file built with Visual Studio several years ago that
contains Crystal reports components for re-distribution. This is a very
low importance problem, just curious.

I just ran into that this MSI fails every time I try to code sign it
with SHA2. It's not a big deal, but I wonder if there is something in
MSI preventing them from being code signed with SHA2?

I don't think I have the old MSI install script from VS (it was probably
about 10 years ago!) so I'm not going to put any work into it at all,
just curious in case I do stumble on the old script and want to have a
go at it.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC
08-02-2016, 03:59 AM
NewsArchive

1 Attachment(s)

Re: Dual signing MSI file

Interesting.

So I made a little MSI using SetupBuilder.

Tried signing it.
Barfed at dual-signing (pic).

But I was able to sign it with a single SHA2 signature.

here's the SHA2 MSI, if you want to look:
http://www.beachbunnysoftware.com/SB/ArnorMSI.msi

jf
08-03-2016, 02:18 PM
NewsArchive

Re: Dual signing MSI file

Hi Jane,

> But I was able to sign it with a single SHA2 signature.
>
> here's the SHA2 MSI, if you want to look:

Thanks. Yes, I am able to do a SHA2 code sign only, not dual code sign.
That works for me:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC
08-08-2016, 06:38 AM
NewsArchive

Re: Dual signing MSI file

>> But I was able to sign it with a single SHA2 signature.
>>
>> here's the SHA2 MSI, if you want to look:
>
> Thanks. Yes, I am able to do a SHA2 code sign only, not dual code sign.
> That works for me:)

The MSI file format does not support dual signing <g>. Only SHA-1 -or-
SHA-2.

Friedrich
08-09-2016, 10:30 AM
NewsArchive

Re: Dual signing MSI file

Hi Friedrich,

> The MSI file format does not support dual signing <g>. Only SHA-1 -or-
> SHA-2.

Nice;) I don't think I need to worry about SHA-1 on this thing:)

BTW: What happens on older machines, XP etc. if you have SHA-2
codesigning only?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC
08-09-2016, 10:31 AM
NewsArchive

Re: Dual signing MSI file

> Nice;) I don't think I need to worry about SHA-1 on this thing:)
>
> BTW: What happens on older machines, XP etc. if you have SHA-2
> codesigning only?

On older non-UAC-aware machines, a SHA-2 signature is always "invalid". But
the .msi should still install fine on XP (especially when called from a
perfectly SHA-1/SHA-2 signed .exe installer).

Friedrich
08-09-2016, 10:31 AM
NewsArchive

Re: Dual signing MSI file

Hi Friedrich,

> On older non-UAC-aware machines, a SHA-2 signature is always "invalid". But
> the .msi should still install fine on XP (especially when called from a
> perfectly SHA-1/SHA-2 signed .exe installer).

Thanks:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC