+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: SetupBuilder and Code-Signing

  1. #1
    Join Date
    Mar 2004

    Default SetupBuilder and Code-Signing

    Please read the following SetupBuilder Code-Signing Guide:


    Table of Contents
    Part I Introduction
    Part II FAQ
    Part III Buying A Certificate - The Lindersoft "Deal"
    Part IV Getting the Tools
    Part V Setting Up SetupBuilder
    Part VI Code-Signing Your Installer
    Part VII Code-Signing Your Application Files

    Note: CAPICOM.dll has been removed from the Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1.

    Q3 2014 Updates:


    As of late August 2013, all valid (not expired, not revoked) Comodo Code Signing Certificates can be used for Kernel-Mode Code Signing (Windows Vista and greater).

    Microsoft has published a security advisory on "Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program". The new policy takes effect after January 1, 2016 and requires CAs to migrate to the stronger SHA-2 hashing algorithm.

    In summary, Windows will cease accepting SHA-1 certificates on January 1, 2017. To continue to work with Microsoft platforms, all SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-256 (SHA-2) equivalent by January 1, 2017. Organizations need to develop a migration plan for any SHA-1 end-entity SSL certificates that expire after January 1, 2017 and SHA-1 code signing certificates that expire after January 1, 2016. SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack. Microsoft will give new consideration to the SHA deprecation deadlines in July 2015.

    1. Customers should "renew" with SHA-2 end-entity and intermediate certificates.

    2. Microsoft will cease trusting Code Signing Certificates using SHA-1 on January 1, 2016.

    Most applications, servers and browsers now support SHA-2, however some older operating systems such as Windows XP prior to Service Pack 3, and some mobile devices do not.

    For example: http://support.microsoft.com/kb/2763674

    Before the SHA-1 algorithm is formally deprecated by Microsoft, it is important to ensure your organization and those relying on your infrastructure are benefiting from SHA-2 support by installing the latest version of the application or browser and applying all known security updates to your operating system.

    Comodo will support only SHA-2 on all 3 year code signing certificates. They will also confirm policies at this time regarding 2 year SHA-1 code signing certificates.


    Friedrich Linder

    --Helping You Build Better Installations
    --SetupBuilder "point. click. ship"
    --Create Windows 8 ready installations in minutes
    --Official COMODO Code Signing and SSL Certificate Partner
    Attached Images Attached Images  
    Last edited by linder; 06-05-2014 at 05:27 AM.

  2. #2
    Join Date
    May 2005
    Southwest Florida

    Default Re: SetupBuilder and Code-Signing

    I've just gotten my pfx file built, using Jane's "SetupBuilder Code-Signing". It was invaluable! I explored the latest Windows SDK (Windows 7 and .NET 3.5 SP1) and found pvk2pfx.exe and signtool.exe in \Setup\WinSDKTools\cab2.cab. Did not find capicomm.dll anywhere so I hope I don't need it.

    By the way, all I had to do for the new code signing certificate was to supply the DUNS number and put my domain registration in my company's name instead of mine.

  3. #3

    Default Re: SetupBuilder and Code-Signing

    [QUOTE=linder;43635]Please read the following excellent SetupBuilder Code-Signing Guide:

    Is the procedure for renewing a Lindersoft/Comodo certificate different? Is there a discount for renewals? Hopefully I do not have to start the entire procedure over with documentation, etc.

    -O. D.-

  4. #4
    Join Date
    Mar 2004

    Default Re: SetupBuilder and Code-Signing


    There is no special Comodo "renewal" process if you have purchased a certificate in the past. You always have to request a new certificate, it can't be "renewed". Login to the Comodo ordering system and place a new order using the same company information and Comodo should speed up the validation process. Be sure to quote your previous order number in any correspondence with them.

    The discount for Lindersoft customers with a current SetupBuilder subscription is 60% when you buy a 3-year code-sign certificate ($200 instead of $500).

    Hope this helps.


  5. #5

    Default Re: SetupBuilder and Code-Signing

    Got the new certificate and it works great. However, I was baffeld that the install was signed with the new certificate (as entered in the "General Information" tab) but our program EXE was signed with the old certificate.

    Some detective work revealed that if there is a line in the script to code sign a file (#code-sign application "C:\VDBPlProj\RMI\Reindex.exe" (RMI Update) [Permanent] [Skip]) then the new certificate needs to be entered into the wizard for that line also.

    Now all works as expected. Hope this helps someone else save time when they upgrade their certificates.

    -O. D. Williams-

  6. #6
    Join Date
    Jul 2007
    Shell Beach, California, USA

    Default Re: SetupBuilder and Code-Signing


    There's also a new SB tool to ease some of the pain of code-signing items you're installing - the Certificate Profiles tab on the Tools | Options window.

    It's not a "live" update. If you change your certificate password, for example, it will not automatically update every item you've configured using that profile.

    But it does make it easy to double-click any #code-sign compiler directive, then click the blue folder icon and choose the profile to update anything to the new code-sign settings.

    And, of course, it takes out a lot of the hassle of configuring code-signing for items in the first place.


  7. #7

    Default Re: SetupBuilder and Code-Signing

    Just a heads up...

    If you use Windows 7, be aware that the CAPICOM.DLL referred to elsewhere here is no longer needed in order to user SIGNTOOL.EXE for code signing. CAPICOM has been deprecated by MS for Win 7.

    All you need is a Windows 7 version SIGNTOOL.EXE now, and the simplest way to get it is to download the Windows SDK for .NET 3.5SP1 or .NET 4.


    This link leads you to a small stub for the latest SDK version, so you don't need to download the entire SDK. In the installer, just uncheck everything except the 'Tools' option, and then you'll only get a small subset of the SDK that includes the Win 7 version of SIGNTOOL.EXE.

    Point SetupBuilder at SIGNTOOL.EXE, which you'll find under Program File\Microsoft SDK a few levels down in the \BIN folder.


  8. #8

    Default Re: SetupBuilder and Code-Signing

    I was getting what appeared to be random failures during the code signing process with SB 7.5 under Window 7, 32-bit. At times, it would even cause SB to fail/terminate.

    After some research, I have found that if I have Windows Explorer open on the default \Installs folder where my installs are built, it will fail every time. Select any other folder, and the signing step works every time.

    It seems Windows 7 puts some kind of hold or watch on the folder it is displaying, and SignTool does not like that at all. I've also run into similar issues with folders being viewed simultaneously between XP, Vista and Win 7 where you can't rename/move/delete files due to these invisible locks.

    Hope this helps someone,
    Tom H.

  9. #9

    Default Re: SetupBuilder and Code-Signing

    This document is 5 years old. Did nothing change here. Why is it that SetupBuilder does not ship with the latest signtool.exe ??



  10. #10
    Join Date
    Mar 2004

    Default Re: SetupBuilder and Code-Signing


    Well, perhaps you are not aware that it is NOT allowed to redistribute signtool.exe? It's only available in the SDK. Microsoft has a very good law firm if you do the wrong thing Never ever make signtool.exe available as a download. If you do, you'll hear from their lawyers.

    BTW, the documentation is up-to-date! There is a new SHA1 or SHA2 order option for certificates now. The SB compiler will support it in a later build.


+ Reply to Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts