View Full Version : Cose Signing problem
NewsArchive
05-25-2007, 09:10 AM
I really hate to post this. I've scrubbed through the NG,
chased all of the leads posted there and still have a
problem.
I'm using SB6.5
Using SignCode.exe the Install.Package IS signed, my
Certificate is shown on the Digital Signatures tab.
This is true with both versions of PKEY.exe ( 6.5.1845.0 and
6.0.1459.0).
I've included #embed Vista Manifest in the setup-script in
the initialize setup section immediately following the
#include script "Common Definitions.sbi" statement.
The compile tells me it did create the manifest.
If I add a #code-sign application immediately after the
#embed Vista Manifest statement the compile fails with
Compiler error GEN1053: Code signing process failed
This is true with both versions of PKEY.exe
So, the dumb question is:
What am I doing wrong?
Thanks in advance.
Guy Bernard
NewsArchive
05-25-2007, 09:10 AM
Dumb question,
Are you doing the #embed Vista Manifest and #code-sign application trying to
sign your app, or the installer itself?
If the latter, see Kelley E. Major's "code-signing" thread in this NG dated
4/30/2007.
Jane Fleming
NewsArchive
05-25-2007, 09:10 AM
Hi Jane -
Thanks for the quick reply.
I've scrubbed your articles, I feel like I'm talking to THE
source of information (BG). Your time and effort is greatly
appreciated.
I have specified that the install is to be signed (on the
General Information -- Digital Signature) and it IS being
signed
My #embed Vista Manifest is applied to the application that
SB is building the install for. I've run the install and
the apps (my.exe files) do contain a manifest (I used Colin
Wilson's XN Resource Editor (thanks to a tip from a gal I
know).
My #Codesign statement immediately follows the #Embed
Vista.Manifast statement -- this is the one failing.
If I remove the #CodeSign statement:
The install.package built by SB IS signed and contains a
manifest.
My installed _.exe files are not signed (didn't ask SB to
sign them) and they do contain a manifest
If I replace the #Codesign statement (immediately following
the #Embed Vista.Manifest statement) the SB compile fails
I hope this makes sense, and answers your question.
Guy Bernard
NewsArchive
05-25-2007, 09:11 AM
I just thought of something.
The #Embed manifest is not checked Permanent.
Since SB is adding the manifest to the _.exe file that is
being included in the install package, but as I under the
"Permanent" option it leaves the original file unchanged,
then I ask to sign the _.exe, is the difference between my
original file and the one SB is adding to the install
package (it has the manifest included) causing the problem?
Guy Bernard
NewsArchive
05-25-2007, 09:11 AM
I just tried changing the #Embed Vista.Manifest to
"Permanent" and the #Codesign still causes the compile to
fail. BUT, the _exe now contains a Manifest which I did NOT
include in the compile of the application.
Blows that idea, I hope you have some ideas.
Thanks
Guy Bernard
NewsArchive
05-25-2007, 09:11 AM
> The #Embed manifest is not checked Permanent.
It should NOT be.
I don't use any external programs - just let SB6.5 do the work and my
installs work fine.
Here are the basics:
1) Make sure that your EXEs in Clarion do NOT have the checkbox checked in
the global that creates the manifest.
2) In SB (in the Visualizer), your installer needs to run with the
requested execution level set to "requireAdministrator".
3) In SB, add your manifest in the Script editor and make sure that the
requested execution level is set to "asInvoker" and that the "Permanent"
box is not checked.
Note: I add the manifest just before the "Create Folders" portion of the
script editor.
4) Let SB do the digital signing for you.
The results for me are installers that work, EXEs that run, the manifest is
correct (both on XP and on Vista) and MS is happy with the digital
signatures.
I really don't see a reason at all to do any of this outside of
SetupBuilder.
It simply works.
Good luck on your projects!
;-)
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
NewsArchive
05-25-2007, 09:12 AM
Hi Charles -
Thanks for the outline, your perspective is exactly what I
want. The only thing different in my install from your
outline is that I am adding the manifest in the Initialize
Setup section, and that is working.
In the same section, immediately after the manifesst I am
including the Code.Sign for by app, it is that statement
that is causing the compile to fail.
I think what I'll do is move the manifest & app code sign
down to the Create folders section. If that doesnt' make
any difference I wonder if I have an out of date version of
some SB component.
I'm sure when I get to the bottom of this it'll be really
dumb, it seems the hard ones always are.
Thanks again
Guy
NewsArchive
05-25-2007, 09:12 AM
I just took a shot at the compile after moving the Manifest
and CodeSign statements to the initialize install folder
section, makes not difference. The only thing I've seen
concercning where this need to be applied is before the
files are included in the install package so I didn't expect
any change.
Got a long weekend, should be plenty of time to tinker, and
as the man said "We shall overcome."
Have a good weekend
Guy Bernard
NewsArchive
05-26-2007, 05:32 AM
Charles,
I know; six one, half-a-dozen the other...
I need to have C6 generate and link in the Vista compliant manifest
for one of my apps because the final step in my project "Programs to
execute" calls Armadillo to protect the exe. The manifest cannot be
applied after the Armadillo protection. I do still use SB for the
code signing, which should be done post-Arm.
Also, it appears to me that C6 has more options than SB for
controlling the manifest. I'm referring to:
1) UIAccess setting which I don't see an option for in SB.
2) The ability to just generate the file and not link it into the exe.
3) The ability to generate an XP manifest and not Vista.
Obviously there are other ways to do this, like call Armadillo to
protect the app from within the SB script (after letting SB add the
manifest of course).
Anyway, just a comment.
Regards,
Kelly E Major
NewsArchive
05-26-2007, 05:33 AM
> 1) UIAccess setting which I don't see an option for in SB.
By the way, if someone needs the "UIAccess setting" thing, just drop me a
line or post here. We did not add it because it's not easy to write an
UIAccess application. We can add this option without any problem.
Friedrich
NewsArchive
05-26-2007, 05:33 AM
On 25 May 2007 12:29:50 -0400, Kelly E Major wrote:
> I need to have C6 generate and link in the Vista compliant manifest
> for one of my apps because the final step in my project "Programs to
> execute" calls Armadillo to protect the exe. The manifest cannot be
> applied after the Armadillo protection. I do still use SB for the
> code signing, which should be done post-Arm.
>
> Also, it appears to me that C6 has more options than SB for
> controlling the manifest. I'm referring to:
>
> 1) UIAccess setting which I don't see an option for in SB.
> 2) The ability to just generate the file and not link it into the exe.
> 3) The ability to generate an XP manifest and not Vista.
>
> Obviously there are other ways to do this, like call Armadillo to
> protect the app from within the SB script (after letting SB add the
> manifest of course).
I see that Friedrich mentioned the UIAccess in another post.
Yes the code signing comes after Armadillo, and yes you can do that inside
SetupBuilder.
Of course when Friedrich and I finish the RegKISS/ SetupBuilder
integration, there will be even better options (among which is that RegKISS
will allow SetupBuilder to interrogate the exe to ensure that the
protection is in place).
> Anyway, just a comment.
;-)
Always glad for feedback and input.
Take care,
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
NewsArchive
05-26-2007, 05:35 AM
>Of course when Friedrich and I finish the RegKISS/ SetupBuilder
>integration, there will be even better options (among which is that RegKISS
>will allow SetupBuilder to interrogate the exe to ensure that the
>protection is in place).
Hurry Up! My credit card has already expired at least once while I've
been waiting for these products :)
Needless to say I'm ready to buy a set of tools/apps for managing
Armadillo<->Clarion<->SetupBuilder and if it includes web/internet
based real-time licensing I'm going to be really really excited!!!
Oh, in case you did not get notified I received notice from SRT that
Armadillo v5 beta is available and will go gold on the 31st unless
issues are encountered.
Regards,
Kelly E Major
NewsArchive
05-26-2007, 05:36 AM
On 25 May 2007 13:53:35 -0400, Kelly E Major wrote:
> Hurry Up! My credit card has already expired at least once while I've
> been waiting for these products :)
;-)
> Needless to say I'm ready to buy a set of tools/apps for managing
> Armadillo<->Clarion<->SetupBuilder and if it includes web/internet
> based real-time licensing I'm going to be really really excited!!!
Thanks for still being interested.
A lot has changed since the idea for these products first came to mind and
we started working towards the goal.
The new tools we have (both in SetupBuilder and in RegKISS) are opening up
a lot of possibilities.
> Oh, in case you did not get notified I received notice from SRT that
> Armadillo v5 beta is available and will go gold on the 31st unless
> issues are encountered.
I saw that!
Nice to see they are still moving forward even though Chad is gone now. Of
course I know Gene @ Silicon Realms very well and he and I stay in touch
about what they are doing.
;-)
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
NewsArchive
05-26-2007, 05:37 AM
Someone on the SRT NG observed that 5.0 beta he just installed says it's not
licensed.
Makes sense that a full version-number change will be the excuse to hit
people with a version upgrade fee. Not sure it will be worth it to me,
though.
Jane
NewsArchive
05-26-2007, 05:38 AM
Hello,
Dumb Question .... why do I have to code-sign the app? What advantages does
that give me?
-Robert
NewsArchive
05-26-2007, 05:39 AM
Hi Robert -
If you're lucky Jane will jump in here, but her articles in
Clarion Mag "Signing Your Applications, Part 1" and ...Part2
give you a good rundown of the impact of signing the code.
Do take the time to go through them. There is also an
e-book on Clarion Mag that covers the Vista stuff and
addresses the question you ask.
In a nut shell, signing you code provides the person using
the install the assurance that they are using a "true
version" of your software, not something that has been
tweaked by a "bad guy" and given your label.
I think the real force behind all of the manifest and
signing thing, at least in my case, it Vista's focus on
security.
Now that I've gotten SB to sign myapp.exe on the way into
the install package, I'm wondering if I want to sign all of
the DLL's that go along with my code (SV, etc.) so that all
executables (_.exe and _.dll) are signed?
Guy Bernard
NewsArchive
05-26-2007, 05:42 AM
On 25 May 2007 18:28:31 -0400, robert paresi wrote:
> Dumb Question .... why do I have to code-sign the app? What advantages does
> that give me?
Among the other reasons mentioned, there is a group policy in Vista that
allows to "block" all un-signed applications. That means, if this group
policy is enabled, then your program would not run.
Signing DLLs is not necessary, but EXEs are a good idea.
HTH,
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
NewsArchive
05-26-2007, 05:42 AM
Thanks Charles.
With that I'll just sign the _.exe and let it go at that.
Guy Bernard
NewsArchive
05-26-2007, 05:43 AM
IT WORKS ! ! !
I don't know what I did to fix what ever the problem was,
and I don't care either, but it now works as advertised!
I obviously had a bad entry in the Code.Sign command for
myapp.exe which caused the failure. That's not unusual,
often I am my own biggest problem.
Thanks all for the questions, thoughts, and answers. They
kept me going in the "if at first ... try, try again".
Guy Bernard
NewsArchive
05-26-2007, 05:44 AM
Glad you got it figured out, Guy.
A bad password, bad time-stamp URL, etc., will throw signing off altogether.
Jane
NewsArchive
05-26-2007, 05:44 AM
Hi Jane -
You're not half as glad as I am (G)
I wonder if it would be possible to have the cause of the
failure passed back. I'm such a klutz I need all the help I
can get. I noticed in my research someone stumbling because
the Certificate had expired, mine was God knows what, and
I'll bet there are at least 3 potholes I haven't hit yet.
After all, Friedrich has done so much for us already he'd
probably be disappointed if I didn't ask for more (G)
Guy
NewsArchive
05-28-2007, 11:53 PM
Jane,
I saw that too. I thought it was odd that they would send a
notification and download link to the 5.0 beta if it won't run since
it isn't licensed. I also thought it was odd to have a major version
jump and not say anything about an upgrade fee.
Anyway, I expect I will be upgrading for a couple of reasons:
1) I expect to continue using Armadillo and I keep all of my active
software up to date. One of the items listed is "Full Vista
Compatibility". I certainly want that.
2) I have seen the DEP issue and that is one of the items listed as
being resolved with version 5.
Regards,
Kelly E Major
NewsArchive
05-28-2007, 11:54 PM
On 25/05/2007 Guy Bernard wrote:
> If you're lucky Jane will jump in here, but her articles in Clarion
> Mag "Signing Your Applications, Part 1" and ...Part2 give you a good
> rundown of the impact of signing the code.
And for anyone who's looking, her articles can all be found at
http://www.clarionmag.com/cmag/search.frm?formID=true&query=author%3Afleming&submit=Find+It%21
The Vista e-book is at http://www.clarionmag.com/cmag/ebooks.html
--
Dave
Clarion Magazine: http://www.clarionmag.com
In-depth Clarion articles, news, tips & tricks, printed books and e-books
Source Code Library: http://www.clarionmag.com/cmag/sourcelib.html
Clarion blog: http://www.clarionmag.com/blog/
Personal blog: http://www.knobblegrud.com/
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.