PDA

View Full Version : Strange Code Signing Behavior



Wayne Freeman
05-22-2007, 07:45 PM
Hi,

Maybe I'm just unclear on the concept, but I have noticed that Setupbuilder is removing the digital signatures from my executables.

Is this a problem, or is it supposed to work that way? I would think that all signed files should remain signed forever.

I sign the .exe using SignTool, and verify that the digital signature is there by looking at the properties of the file.

Then, I compile the Setupbuilder project, which signs both the install and uninstall programs.

After I run the installation, I inspect the properties of the installed executables, and they no longer have the digital signature. The install and uninstall programs still do, however.

Is this right?

Thanks,

Wayne
www.analyticabiz.com

linder
05-22-2007, 11:34 PM
Wayne,

Of course, SetupBuilder will *not* touch your files.

If you manually code-sign your .exe, then SetupBuilder will add the code-signed file to the installer. It is impossible to "remove" a code signature from a .exe.

Check the .htm compiler report and check the source path, I am sure you are packaging the wrong .exe file :)

BTW, do you know that SetupBuilder can automatically code-sign your .exe for you?

HTH,
Friedrich

Wayne Freeman
05-23-2007, 12:03 AM
Hi, Friedrich

Actually, I was very careful in my research before I posted my question, and I am absolutely certain that the signature was being removed. I left a Windows Explorer window open to the folder where the .exe file is, signed the code using the signtool wizard, right-clicked on the .exe, selected "properties", verified that the signature was there, then switched over to Setupbuilder, compiled the project, switched back over to the folder where the .exe is, inspected "properties" again, and the signature was gone. This is not even the copy that was compiled into the installation, but the original .exe. Which, of course, explains why the compiled installation contained a .exe without a signature, as it was being removed before the .exe was compiled into the installation. Now, what caused it I have no idea, but it didn't happen until I ran the SB compile.

Having said all that, yes, I did discover since I posted my question that the latest build of SB uses SignTool and the pfx. I implemented that and all these problems went away. The original .exe retains its signature, and the installed .exe also now has the signature. So all's well.

My guess is that, of course, SB was not touching my .exe, but it was something in SignCode that was removing the signature and not replacing it.

Being able to have SB do the signing is really helpful, and for me, works a whole lot better. Just in time.

Thanks,

Wayne
www.analyticabiz.com

linder
05-23-2007, 12:10 AM
Hi Wayne,

Thank you for the information.

BTW, if you are using the "#code-sign application" compiler feature to code sign your application files, then the SetupBuilder compiler will "touch" your original file if you mark the "Permanent" option. If the "Permanent" option is unchecked, it creates a temporary copy of your original file, code-signs it, adds it into the installation executable and leaves your original files untouched.

Thanks,
Friedrich

Wayne Freeman
05-23-2007, 10:32 AM
Ah, that's an excellent option. But why would I not want to have the code-signing be "permanent"?

Thanks, Friedrich.

Wayne

Analytica Business Systems
A Pervasive Software Premier Partner
http://www.analyticabiz.com

linder
05-23-2007, 10:49 AM
Hi Wayne,

First of all, an installation authoring system should (by default) never manipulate your data files.

If you compile the script again and the .exe is already code-signed, the compilation process will fail (Authenticode signing tool returns an error).

If you would like to change some code-signing parameters (e.g. timestamp, descriptive name, etc.) and the compiler code-signed your SOURCE FILE permanently, you have to recompile your own .exe. Not a good idea ;)

Friedrich