I want to use Sign Tool from Windows SDK on my Excel Add-in project.
The signing works fine on the installer, but when I try on the dll-files it has no effect. I tried signing the vsto-file instead but then I get "This file format cannot be signed because it is not recognized".
The signing certificate is on a usb-dongle and I use the following command for the signing:
C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /debug /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a myInstaller.exe
What am I missing here?
There are lots of things that could be wrong here. Your parameters look good but the /a switch can get confused if there are multiple suitable certs in your store. Try using the /f switch to specify the certificate exactly.
Its tricky to tell if this is your problem. Perhaps you could share the debug output? Are there any error messages? Does the dll have a proper PE header, have you tried signing other dlls?
Related
I was wondering if it is possible to prevent access to .cab files using InstallShield Software. Maybe there is any option in the software.. It should encrypt .cab file, maybe with a certificate file?
It's possible to encrypt using InstallShield but at the file level. This is applicable if you're using Installscript project. Refer this -
https://docs.revenera.com/installshield26helplib/helplibrary/FeatureSettings.htm
For the basic MSI project, you could sign the .cab file but I didn't find any option to encrypt here. You could probably use some external script to perform this job and can try to decrypt it using a custom action at the initial phase of installation.
I have just purchased a code signing certificate from Comodo. I have built a small MS Access database that I want to deploy with Inno Setup Installer. The script runs fine but I am completely new to code signing.
How can I go about signing my installation file? Do I need an external software to sign the certificate or can I do it from within Inno Setup?
I have tried to search for answers to similar questions but none was able to show me what I need to get started, and how to go about it.
What you do is quite simple, try and follow allong
Open Inno Setup and select Tools-> Configure Sign Tools
Click "Add.." and give it a name, let's call it MsSign as I am using signtool.exe from Microsoft, you should now have something like this
You are then asked for the command line of the tool that you use for signing, as I am using signtool.exe I will use
signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd
sha256 /a $p
Note the $p at the end, Inno Setup needs this...
You should now have this, and note that I have added the path to signtool.exe in my path variables and that I am using DigiCert's time server to time-stamp my signature.
In the script, you now add the following code to the setup segment
SignTool=MsSign $f
this line, tells the compiler to use code signing, it will use the variable I've called MsSign, and will sign the output generated by the setup.
it should look like this
When you look at the generated EXE you will see the digital signature
Now this works for me because I have prepared my signature store in such a way that the command line can get the signature and I have only one code sign signature so I will not need to name it, your parameters may be different than mine are, and that's okay as long as in the end, your setup works and your code gets signed.
Hope to have helped and remember you need that $p in the variable
To sign executable (installer generated by Inno Setup) simply create a batch file (.bat) and put this content into it:
"c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f Installer_Wizard_Code_Signing_Certificate.pfx /p password123 /t http://timestamp.verisign.com/scripts/timstamp.dll MySetupFile.exe
where
"c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" is path to Microsoft signing utility (part of Microsoft SDK)
Installer_Wizard_Code_Signing_Certificate.pfx is your certificate
password123 is password for your certificate
MySetupFile.exe is your setup file you want to sign
Put all files in one directory (certificate, setup to sign, and the batch file) and run the batch file.
Signtool signs the file with certificate and checks the validity against official server.
(You can use http://timestamp.verisign.com/scripts/timstamp.dll server although you have Comodo certificate, it does not matter.)
Once you download and install signtool.exe from Microsoft, put the full path of the signtool.exe into the command of the sign tool if it is not added to the path variables at step three of the previous answer:
D:\GUI\signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a $p
It would appear that VS2012 uses PFX files for signing instead of SNK files. I get the impression this is related to delayed signing; but I don't care.
When I build my application, I can use "sn -tp <my assembly>" and see it is signed.
When I ilmerge the debug folder and use the /keyfile directive (the way I was successfully doing with SNK files), the DLLs merge into one unsigned DLL.
I have read articles suggesting clever workarounds, such as extracting the public key from the original DLL and then using this in the /keyfile directive...which also failed to allow me to create a strongly signed DLL.
So, what do I need to do to get ilmerge to work with the PFX file so that my assembly will be strongly typed?
Thanks
I recently was attempting to do just the same thing (this time with VS 2015, but I am sure the results are the same).
PFX files are password-protected by default and ILMerge (at the time of this writing) does not appear to support them.
Manual Signing
The "clever workaround" as you describe it is presented here, and it appears to be the only way to accomplish this:
>sn -p some.pfx some.pub
>ilmerge /keyfile:some.pub /delaysign /out:merged\some.dll some.dll
>sn -R merged\some.dll some.pfx
Note that extracting the public key from the PFX file requires user input - allegedly it was previously possible to pipe in the password, but the current version of sn.exe does not permit console redirection.
Automated (CI Build System) Signing
In order to strong sign ILMerged assemblies in an automated way, it is necessary to install they key on the local build machine. This still requires user input in the form of password input, but only has to be done once per build machine.
As before, we need to extract the public key from the PFX file (this only has to be done once, and the PUB file can be saved alongside the PFX or even checked-in to source).
Here is the one-time setup code (both require password input):
>sn -p some.pfx some.pub
>sn -i some.pfx SomeContainerName
During the automated build, it is now possible to run:
>ilmerge /keyfile:some.pub /delaysign /out:merged\some.dll some.dll
>sn -Rc merged\some.dll SomeContainerName
Currently I generate an installer for a program using NSIS on a Linux machine. The NSIS binaries have been compiled for Ubuntu, and using the .nsi script presents no difficulties. However, the resulting setup.exe file is unsigned. This results in scary warnings for our users who download the installer via most common web browsers, as well as warnings from Windows itself when run.
We'd like to avoid these warnings, and unless I'm missing something, that requires using a Windows tool to sign the generated setup.exe file. Is there a way to do this on a non-Windows machine?
Unfortunately, each installer is unique (different files are bundled depending on the customer's request, and a unique ID included) so I cannot sign the installer on a Windows machine and then upload it.
Your best choice is probably the use of: osslsigncode. Built easily for me (make sure to have the OpenSSL headers available). It may have difficulties with the kernel mode signing policy, though (embedding the parent certs up to the root) - so you may still have to resort to WINE in the end.
I had to do it a few weeks ago, without using wine. What I did was to import the pfx file to windows and then exported it with "Include all certificates in the certificate path if possible" option. then I followed the instruction on this page .
After you have all the certs (spc and pvk files) you should use the following command:
signcode -spc [spc file] -v [pvk file] -a sha1 -$ commercial -t http://timestamp.verisign.com/scripts/timstamp.dll -tr 10 [exe file to sign]
I had to install mono-dev pack:
sudo apt-get install mono-devel
Signing files for Windows uses Microsoft Authenticode signatures. There is a tool in the SDK that signs Executables and DLLs (signtool.exe). You might be able to run that using Wine.
It's also possible to sign files through Windows API calls - these functions might be implemented in Wine aswell, but I sort of doubt it because Authenticode is only used and implemented by Microsoft (as far as I know).
However this tool doesn't to very much - it basically appends the certificate and a signed timestamp at the end of the file. There might exist adaptations for Linux aswell.
Here is a link to someone who got it working using signcode.
I need to digitally sign a tar.gz file, and have no idea how to do it. I understand the concept, and I know how to sign a jar/zip file. But I cannot find a way that will work with a tar.gz file.
Can anyone point me in the right direction, or tell me why this cannot be done?
Thanks!
One of the options is to use detached signature using an OpenPGP key or X.509 certificate. Both GnuPG and OpenSSL should be able to produce detached signatures. Of course, you will get a separate file with the signature, but this is the only viable option, as for me.