12.7 has broken MS SignTool.exe support

[GlenT]

First, my AI > Options setting for using our copy of the MS SignTool.exe was removed. Second, when I restore it, signing now breaks with an exception error in AI (invalid option: /as). I want to preserve our legacy code signing mechanism because (as you suggested in your upgrade documentation) we still want to support Vista. Why has this broken? I've been using an external SignTool for years because the AI internal one never worked properly.

[GlenT]

FYI I did a Win 7 system restore and then a repair on AI 12.6.1 to get things working again. AI had 'corrupted' (upgraded) one project file, but I was able to use the backup.

[Daniel]

Hello Glen,

Indeed, in our latest version (12.7) Advanced Installer automatically detects the "signtool.exe" from latest Windows SDK installed on your build machine and use it in the "External Tools" settings.
However, if you manually pick another "SignTool.exe" file in the "External Tools" settings this change will be preserved in the future versions of AI. It won't be reset. This is a limitation only in AI 12.7 due to a redesign of our "Digital Signature" feature.

Regarding the signing error you get, can you please give us the following information:
1. what version SignTool.exe do you use (from what Windows SDK)? are you using your own custom SignTool app which is a wrapper over the MS Signtool?
2. what kind of certificate file do you use? Is of PFX type or it has a different extension?
3. what signature (MD5, SHA-1, SHA-256) has your certificate?
4. what architecture has your Win 7 OS (32 or 64-bit)?

Also, can you please forward us the entire build log so we can analyze it?

All the best,
Daniel

[GlenT]

Daniel, right now, I really don't have test machine, per se. Our current production machine is 'live' and we generate customized installations for each client, so I really don't have the luxury of breaking it right now (we are just beginning a new product release).

I will send you the version of signtool.exe that we have been using. The OS is Win 7 Pro 64bit. We do not have Windows SDK installed (we use Embarcadero RAD Studio). I downloaded our copy of SignTool.exe years ago (2006) which we probably downloaded from MS at some point. We use a .pfx file. I don't recall method of encoding, but I believe we use the defaults.

Edit:I think that the version of SignTool.exe is v6.1.7600.16385

[Teodor]

Hi Glen

I will send you the version of signtool.exe that we have been using. The OS is Win 7 Pro 64bit. We do not have Windows SDK installed (we use Embarcadero RAD Studio). I downloaded our copy of SignTool.exe years ago (2006) which we probably downloaded from MS at some point. We use a .pfx file. I don't recall method of encoding, but I believe we use the defaults.

Edit:I think that the version of SignTool.exe is v6.1.7600.16385

This copy of signtool.exe appears to be from Windows 7 SDK. This version (or older) doesn't have the "/as" (append signature) command line switch for performing dual signing.

To perform dual signing on Windows 7 SP1, please install Windows 8 SDK (or newer).
Advanced Installer should automatically detect the latest signtool.exe version unless you manually picked a custom location. In this case please select the newer signtool.exe from External Tools dialog.

[GlenT]

Hmm... tried to download/install the current Window SDK yesterday. Failed with some obtuse error. Will try again.

[GlenT]

I had better luck getting a copy of Win8 SDK to download and install (I think that MS is throwing up roadblocks to installing Win10 SDK under Win7 -- no surprise). I now have updated x86 and x64 versions of SignTool.exe and am testing them with AI 12.6.1. I will try again with AI 12.7 later, if/when I get the chance.

[Daniel]

Hello Glen,

Just an addendum, please note that the dual signing support (/as switch) was introduced in our AI 12.7 version. It is not available in our AI 12.6.1 or earlier version. So, if you want to dual sign your installation files you should use at least the AI 12.7 version.

All the best,
Daniel

[GlenT]

I have no idea what Dual Signing is and did not specifically set it. I presume that AI set dual signing when it converted the project from 12.6.1 to 12.7, which would be a misconfiguration during the conversion.

[Daniel]

Hello Glen,

In AI 12.7 and newer versions the dual signing will be used only when the "Sign only for modern operating systems (Windows 7 or newer)" option is unchecked in "Digital Signature" page and you are using a SHA-256 certificate to sign your installation files. The dual signing process consist in the appliance of two digital signatures to your installation files: one digital signature which will be generated using a SHA-1 hashing algorithm and the other generated using a SHA-256 hashing algorithm. The first one will be recognized on older OSes like Vista and XP and the latter one will be used on Windows 7 and newer OSes.

So, if you still target old OSes, then it is advisable to dual-sign your installation files. However, if you target only newer OSes, than you should sign your installation files using a SHA-256 hashing algorithm (i.e. by checking the "Sign only for modern operating systems (Windows 7 or newer)" option). For more details please take a look on our "SHA-2 Digital Signature Upgrade" article.

Just let us know if you have any question.

All the best,
Daniel

[GlenT]

OK, I appear to be caught in a catch-22 scenario. I need to use dual signing if I want to continue to support Win Vista (I do). My Win7 version of SignTool does not support dual signing. The Win8 SignTool fails with errors because "the OS (Win7) does not support the options selected".

So, what now??

SignTool1.png (45.66 KiB) Viewed 17952 times

[Teodor]

Hi Glen

The Win8 SignTool fails with errors because "the OS (Win7) does not support the options selected".

Did you copy the signtool.exe file from its install location (usually "C:\Program Files (x86)\Windows Kits\8\bin\x64") to another folder?
Note that Windows SDK 8+ installs newer DLL files in the same directory for signtool.exe to function properly.

Can you test with signtool.exe selected from Windows SDK? Please mention the full path and version.

[GlenT]

I don't have the SDK installed, because we don't use it. I installed the Win8 SDK, searched and located SignTool.exe (both x86 and x64 versions) copied the .exe file(s) to my working drive and run them from there. No extra DLLs copied.

The Win8 SignTool.exe seems to work with AI 12.6.1. Or... I should say, that it does not produce any error messages, as the newer versions of AI no longer report useful information (such as code signing activity) during a build. Edit: yeah, seems to have signed our .exe's correctly.

SignTool version 6.2.9200.20527

[GlenT]

Any more insights into what is going on with this? From what I can tell from my testing, I can only run the Win7 SDK version of SignTool under Windows 7, and consequently, I can only successfully sign my files if I select the "Sign only for modern operating systems (Windows 7 or newer)" option.

In other words, it does not appear to be possible to dual sign for older Windows -- XP, Vista or Win7 (pre-SP1) -- if your development systems is running Windows 7. Can anyone confirm this?

[GlenT]

Located an archive of Window SDKs. Downloaded and installed both Win8 and Win8.1 and then copied the x86 and x64 versions of each (along with their manifest DLLs) and tested with AI 12.7.1 (note: could not install .Net 4.0 Win7 SDK, as installation fails with an unspecified error).

Now, when I attempt to sign with either of the Win8 versions, using dual signature (for older versions of Windows) I get this message:

SignTool2.png (70.44 KiB) Viewed 17925 times

So, now, SignTool is telling me that file type *.exe is not supported for dual signing. Seriously...??

To recap, with the manifest DLLs (mssign32.dll and wintrust.dll) I can sign under Windows 7, but again, I can only sign for 'modern versions' of Windows. Dual signing is still failing.