How do I code sign my installer when all I have is a .crt security certificate?

[c.curtis]

I'm new to code signing and I haven't been able to find any documentation or forum posts on how to use .crt files from Comodo.

I just have the .crt file. I have no .spc, .pfx, or .pvk file. Nor do I have a key password.

Thanks!

[linder]

Hello,

a .crt is not a code-signing certificate. You have to export to .pfx or .p12.

Does this help?

Friedrich

[c.curtis]

Definitely points me in the right direction. I'm seeing conflicting answers on how to export to .pfx. What do you suggest? This?

[c.curtis]

It helps put me in the right direction. Do I need to do this export function from certificates area of internet options on my system?

[linder]

No, "pvk to pfx" is not an option here because all new certificates are SHA-2 based and not in form of a spc/pvk. You have to export it (from your certificate store) to a .pfx or .p12 (Firefox). If you export to a .p12 then just rename to .pfx and you are done.

Does this help?

Friedrich

[linder]

Similar to this:

http://www.lindersoft.com/Comodo2014.pdf

See page 11+

Friedrich

[c.curtis]

When I try to import my .crt into Personal it doesn't work. It imports to Other People (Company?). Exporting from Other People does not give the option for exporting to pvk. Will SetupBuilder work with my code-signing certificate purchased from Comodo?

[linder]

Hello,

Microsoft SignTool.exe needs a certificate in form of .PFX. So you have to export it to .PFX or .P12 (and rename to .PFX). A certificate in form of .PVK is for SignCode.exe (and old SHA-1 based certificates) only.

https://support.comodo.com/index.php...icates-windows

BTW, are you sure that you have a valid code-signing certificate? After collecting a certificate from Comodo it will make it directly into your Internet Explorer certificate store and then you can export it to the required .PFX. It's not a SetupBuilder "requirement"; Microsoft Authenticode needs the certificate in form of a standard .PFX.

Friedrich

[c.curtis]

I'm not the one who purchased the cert, but I'm pretty sure we purchased the correct one. We were able to get a .P12 using Firefox. I changed the extension to .PFX, but now I'm getting a compiler warning and error:

------ Build started: Project: GrowPro.sbp, Configuration: Release Win32 ------

------ SetupBuilder (tm) Project Script Compiler and Linker for Windows
------ Copyright (c) 1997-2016 Lindersoft
------ SetupScript (tm) Installation Script Language
------ Copyright (c) 2003-2016 Lindersoft
------ All rights reserved.

------ Developer Edition Version 10.0.5204
------ SetupBuilder (SB/EXE) Compiler Version 10.0.5204
...
Processing Uninstall Code-Signing...
Adding Digital Certificate to Uninstall...
Resolve CSI...
SIGNTOOL
SVER: 10.0.10240.16384
SHA1: 1
SHA2: 2
Compiler warning GEN1061: File not found:
Compiler error GEN1053: Code signing process failed. Error Code: 2

[linder]

Hello,

You are using the "Global SHA-1 & SHA-2 dual" code-signing method. This will ignore the configuration information in "General Information" (or #code-sign application... directive). You did not define the certificate in the "Options" screen (-->"Global Personal Information Exchange File (PFX)" field. Please add both the .PFX file and its password.

And to handle dual SGA-1/SHA-2 signing, you need SHA-1 and SHA-2 compatible timestamp servers.

Use this for SHA-1: http://timestamp.comodoca.com/authenticode
Use this for SHA-2: http://timestamp.globalsign.com/?signature=sha2

Does this help?

Friedrich