PDA

View Full Version : Dual signing MSI file



NewsArchive
07-28-2016, 11:06 AM
Hi all,

I have an old MSI file built with Visual Studio several years ago that
contains Crystal reports components for re-distribution. This is a very
low importance problem, just curious.

I just ran into that this MSI fails every time I try to code sign it
with SHA2. It's not a big deal, but I wonder if there is something in
MSI preventing them from being code signed with SHA2?

I don't think I have the old MSI install script from VS (it was probably
about 10 years ago!) so I'm not going to put any work into it at all,
just curious in case I do stumble on the old script and want to have a
go at it.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
08-02-2016, 03:59 AM
Interesting.

So I made a little MSI using SetupBuilder.

Tried signing it.
Barfed at dual-signing (pic).

But I was able to sign it with a single SHA2 signature.

here's the SHA2 MSI, if you want to look:
http://www.beachbunnysoftware.com/SB/ArnorMSI.msi

jf

NewsArchive
08-03-2016, 02:18 PM
Hi Jane,

> But I was able to sign it with a single SHA2 signature.
>
> here's the SHA2 MSI, if you want to look:

Thanks. Yes, I am able to do a SHA2 code sign only, not dual code sign.
That works for me:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
08-08-2016, 06:38 AM
>> But I was able to sign it with a single SHA2 signature.
>>
>> here's the SHA2 MSI, if you want to look:
>
> Thanks. Yes, I am able to do a SHA2 code sign only, not dual code sign.
> That works for me:)

The MSI file format does not support dual signing <g>. Only SHA-1 -or-
SHA-2.

Friedrich

NewsArchive
08-09-2016, 10:30 AM
Hi Friedrich,

> The MSI file format does not support dual signing <g>. Only SHA-1 -or-
> SHA-2.

Nice;) I don't think I need to worry about SHA-1 on this thing:)

BTW: What happens on older machines, XP etc. if you have SHA-2
codesigning only?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
08-09-2016, 10:31 AM
> Nice;) I don't think I need to worry about SHA-1 on this thing:)
>
> BTW: What happens on older machines, XP etc. if you have SHA-2
> codesigning only?

On older non-UAC-aware machines, a SHA-2 signature is always "invalid". But
the .msi should still install fine on XP (especially when called from a
perfectly SHA-1/SHA-2 signed .exe installer).

Friedrich

NewsArchive
08-09-2016, 10:31 AM
Hi Friedrich,

> On older non-UAC-aware machines, a SHA-2 signature is always "invalid". But
> the .msi should still install fine on XP (especially when called from a
> perfectly SHA-1/SHA-2 signed .exe installer).

Thanks:)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC