PDA

View Full Version : Setup Builder 10.0.6195 gives "This digital signature is not valid." for the uninstal



NewsArchive
04-04-2019, 01:20 AM
Friedrich,

I noticed at a client site yesterday that when running my application's
uninstaller it gave the message it wasn't code-signed.

I've tracked it down to:

If create the setup program with SetupBuilder 10.0.6124, the uninstaller
is properly signed.

If I then update SetupBuilder to 10.0.6195, and compile the same setup
script, the uninstaller shows it is signed ok in the SetupBuilder log,
but if you look at the uninstaller.exe properties: Digital
Signatures-Details, it gives the message "This digital signature is not
valid." This is for both SHA1 and SHA2 signatures.

Note the setup program itself is properly signed for both SetupBuilder
versions.

Comparing the two SetupBuilder compilation logs uninstall section, for
10.0.6124 it shows 84 byte-mods applied, but for 10.0.6195 it says 83
byte-mods applied. Other than that they look the same.
************************************
10.0.6124:
Processing Uninstall Code-Signing...
Adding Digital Certificate to Uninstall...
Resolve CSI...
SIGNTOOL
SVER: 6.2.9200.20527
SHA1: 0
SHA2: 0
Successfully code signed Uninstall Object
Process File Overhead Extraction
OK
Uninstall Archive Integrity Verification manipulated successfully
Generating Uninstall Delta [8000]...
84 byte-mods applied
Signature source added [14260:6436]
Signature patch added
OK
Finalizing application...
AIV generated: E4FA0ED845468
Archive Integrity Verification signed successfully
************************************
10.0.6195:
Processing Uninstall Code-Signing...
Adding Digital Certificate to Uninstall...
Resolve CSI...
SIGNTOOL
SVER: 6.2.9200.20527
SHA1: 0
SHA2: 0
Successfully code signed Uninstall Object
Process File Overhead Extraction
OK
Uninstall Archive Integrity Verification manipulated successfully
Generating Uninstall Delta [8000]...
83 byte-mods applied
Signature source added [14258:6437]
Signature patch added
OK
Finalizing application...
AIV generated: EF36CFCF45468
Archive Integrity Verification signed successfully

Thanks...jack
--
********************************************
Who: L Jack Wilson
Where: ljwilson@dNiOgSiPtAaMlav.com
How: Remove Capital Letters from above for a valid email address
Why: Standard Disclaimer fits nicely here.

NewsArchive
04-04-2019, 01:21 AM
Hi Jack,

> I noticed at a client site yesterday that when running my application's
> uninstaller it gave the message it wasn't code-signed.

Hmmm...that's strange. Our own uninstaller in SB #6195 has a valid
code-signature (for both SHA-1 and SHA-2).

Wait... I think it's caused by the "Installer Integrity Check" option in
combination with the new stub which works around the false-positive issue.
The code-signatures should be valid if you disable the integrity check
(General Information).

Item in review. Thank you for bringing this to my attention.

Friedrich

NewsArchive
04-04-2019, 01:22 AM
Correction. It's definitely not caused by the "false-positive" workaround.
The original SetupBuilder 2019.2 introduced this bug (03/19/2019). Worked
fine until 2019 Build #6125 (01/15/2019).

Friedrich

NewsArchive
04-04-2019, 01:22 AM
Friedrich,

Unchecking "Enable Installer Integrity Check" fixed it! I'll just leave
that unchecked until I hear otherwise.

I enabled that setting years ago when I had a client with a slow
connection that kept downloading corrupted installers.

Thanks!

....jack

--
********************************************
Who: L Jack Wilson
Where: ljwilson@dNiOgSiPtAaMlav.com
How: Remove Capital Letters from above for a valid email address
Why: Standard Disclaimer fits nicely here.

NewsArchive
04-04-2019, 07:54 AM
Jack,

> Unchecking "Enable Installer Integrity Check" fixed it! I'll just leave
> that unchecked until I hear otherwise.

would it be possible for you to test a new component?

Please download:
http://www.lindersoft.com/projects/SBVAR_6204.zip

1. In your main SetupBuilder folder, please rename "SBVAR.DLL" into
"SBVAR_orig.DLL".

2. Copy the unzipped new version of SBVAR.DLL (build 6204) into the main
SetupBuilder folder.

3. Re-enable "Archive Integrity Check"

Are the uninstaller's code-signatures back to "valid" now?

Thank you for your help.

Friedrich

NewsArchive
04-04-2019, 10:01 AM
> Are the uninstaller's code-signatures back to "valid" now?
>
> Thank you for your help.

Friedrich,

Yes they are!

And I now see 84 bytes (like I did with 6124 which worked) instead of 83:

Processing Uninstall Code-Signing...
Adding Digital Certificate to Uninstall...
Resolve CSI...
SIGNTOOL
SVER: 6.2.9200.20527
SHA1: 0
SHA2: 0
Successfully code signed Uninstall Object
Process File Overhead Extraction
OK
Uninstall Archive Integrity Verification manipulated successfully
Generating Uninstall Delta [8000]...
84 byte-mods applied
Signature source added [14259:6436]
Signature patch added
OK
Finalizing application...
AIV generated: C7AE720A45468
Archive Integrity Verification signed successfully
--

Thanks for the quick response!
....jack
********************************************
Who: L Jack Wilson
Where: ljwilson@dNiOgSiPtAaMlav.com
How: Remove Capital Letters from above for a valid email address
Why: Standard Disclaimer fits nicely here.

NewsArchive
04-04-2019, 10:06 AM
Hi Jack,

> Yes they are!
>
> And I now see 84 bytes (like I did with 6124 which worked) instead of 83:

Thanks so much for the good news!

The bug was in the "SBVAR.DLL" component from 2015. It was just a
coincidence that it happened in this brand new SetupBuilder 2019.2 version.
A typical Ticking Time Bomb scenario <g>.

Thank you for your very cool analysis of the problem (especially the 83 vs.
84 bytes). SBVAR.DLL was the last thing I checked after a very long
debugging marathon <g>.

Friedrich