+ Reply to Thread
Results 1 to 6 of 6

Thread: Large Setup cannot be code-signed

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    Nov 2007
    Location
    Malone, NY
    Posts
    69

    Default Large Setup cannot be code-signed

    Friedrich,

    First THANKS! for adding SSL support that seems to work perfectly. and now I have to release 2019 version.

    I have a large setup file (1.7 GB) that refuses to be code-signed.
    It's demo version (175 MB) works fine.
    AND I can code-sign the setup using signtool - so that means that the AV isn't getting in the way and the timestamp server is working.
    Here's my signtool line -
    signtool sign /f "D:\Users\Pop\Documents\Security\Codesign_2021.pfx " /p xxxxxxxxxxx /t http://timestamp.comodoca.com/authenticode /d "Hand crafted software for business and research" /du "http://cordessoftware.com" "D:\Users\Public\SetupBuilder Projects\pcgarwV9_2019\su_pcg_si_Full_4.1.15.190.e xe"

    When I get the exe down below 300MB, it SB codesign works.

    I just noticed - There is a note on the MS site Signtool page that says if the exe is over 300MB a Catalog should be used instead of signtool.

    TIA,
    Chris C
    coffee.cup not found. Programmer halted.

  2. #2
    Join Date
    Mar 2004
    Posts
    4,307

    Default Re: Large Setup cannot be code-signed

    Hi Chris,

    thanks again for all your SSL help !!! It's working rock solid now.

    Unfortunately, the code-signing problem is not caused by SetupBuilder. It's a well know limitation of Windows. It depends on quite a few factors, e.g. Windows version, patch level, available resources, etc.

    To cut a long story short, it's not a good idea (and even impossible) to code-sign very large executables (>1.3GB).

    See (performance):
    http://www.lindersoft.com/forums/sho...5097#post65097

    And this (no icon and file properties):
    http://www.lindersoft.com/forums/sho...arge#post63476

    Using the "Custom (for UAC-aware systems)" option is the way to go.

    Does this help?

    Friedrich

  3. #3
    Join Date
    Nov 2007
    Location
    Malone, NY
    Posts
    69

    Default Re: Large Setup cannot be code-signed

    HI!
    It was my pleasure; besides I got a rock solid SSL installer DL and update out of it.

    Yes, I agree and I'm trying to get my client to understand. BUT "EVERYTHING MUST BE CODE-SIGNED"
    Can I do that after the fact? - after the UAC Aware setup package is created? (might be worth a try)

    And what about the Web Install - Can that be successfully signed? Can I sign all the bin files?

    I also thought of not including the data in the initial install, but have it as the first update.

    Yes, It helped to know that I'm not going mad, Thanks,
    Chris
    coffee.cup not found. Programmer halted.

  4. #4
    Join Date
    Mar 2004
    Posts
    4,307

    Default Re: Large Setup cannot be code-signed

    Hi Chris,

    You can only code-sign executables. It is not possible to Authenticode code-sign data files. But SetupBuilder has its own fingerprint technology:

    Enable Installer Integrity Check—SetupBuilder supports an Archive Fingerprint Verification algorithm. The advantage of this feature is to offer a layer of protection between the creator of an installation file and the recipient. The purpose of fingerprint verification is to help provide detection of tampered, hacked, and incomplete or virus infected installation files. If your installation executable supports fingerprint verification, the recipient knows that the installation file received is the file that was sent. If the installation file has failed the fingerprint verification, the contents are suspect. This option requires that you build a single file setup.exe installation executable or a "Custom (for UAC-aware systems)" Media Type Generator Setting with single .bin volume.

    So if you code-sign your executable, the data is 100% safe. The same is true for Web Updates. You code-sign the main executable and all cluster files have their own fingerprint verification.

    Friedrich

  5. #5
    Join Date
    Nov 2007
    Location
    Malone, NY
    Posts
    69

    Default Re: Large Setup cannot be code-signed

    Thanks again.
    I went ahead with the web install/update and that is working perfectly. The exes get code-signed and everything else in bin files all of it on a secure web server. Client is happy and is now changing their licensing requirements.

    Cheers,
    Chris C
    coffee.cup not found. Programmer halted.

  6. #6
    Join Date
    Mar 2004
    Posts
    4,307

    Default Re: Large Setup cannot be code-signed

    Perfect! Thanks for the good news

    Friedrich

+ Reply to Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •