View Full Version : Large Setup cannot be code-signed
ccordes
08-08-2019, 03:47 PM
Friedrich,
First THANKS! for adding SSL support that seems to work perfectly. and now I have to release 2019 version.
I have a large setup file (1.7 GB) that refuses to be code-signed.
It's demo version (175 MB) works fine.
AND I can code-sign the setup using signtool - so that means that the AV isn't getting in the way and the timestamp server is working.
Here's my signtool line -
signtool sign /f "D:\Users\Pop\Documents\Security\Codesign_2021.pfx" /p xxxxxxxxxxx /t http://timestamp.comodoca.com/authenticode /d "Hand crafted software for business and research" /du "http://cordessoftware.com" "D:\Users\Public\SetupBuilder Projects\pcgarwV9_2019\su_pcg_si_Full_4.1.15.190.e xe"
When I get the exe down below 300MB, it SB codesign works.
I just noticed - There is a note on the MS site Signtool page that says if the exe is over 300MB a Catalog should be used instead of signtool.
TIA,
Chris C
linder
08-09-2019, 02:56 AM
Hi Chris,
thanks again for all your SSL help !!! It's working rock solid now.
Unfortunately, the code-signing problem is not caused by SetupBuilder. It's a well know limitation of Windows. It depends on quite a few factors, e.g. Windows version, patch level, available resources, etc.
To cut a long story short, it's not a good idea (and even impossible) to code-sign very large executables (>1.3GB).
See (performance):
http://www.lindersoft.com/forums/showthread.php?35921-File-Size&p=65097#post65097
And this (no icon and file properties):
http://www.lindersoft.com/forums/showthread.php?35117-SB-6-9-File-Size-Limitation&p=63476&highlight=large#post63476
Using the "Custom (for UAC-aware systems)" option is the way to go.
Does this help?
Friedrich
ccordes
08-09-2019, 01:28 PM
HI!
It was my pleasure; besides I got a rock solid SSL installer DL and update out of it. ;)
Yes, I agree and I'm trying to get my client to understand. BUT "EVERYTHING MUST BE CODE-SIGNED"
Can I do that after the fact? - after the UAC Aware setup package is created? (might be worth a try)
And what about the Web Install - Can that be successfully signed? Can I sign all the bin files?
I also thought of not including the data in the initial install, but have it as the first update.
Yes, It helped to know that I'm not going mad, Thanks,
Chris
linder
08-10-2019, 04:29 AM
Hi Chris,
You can only code-sign executables. It is not possible to Authenticode code-sign data files. But SetupBuilder has its own fingerprint technology:
Enable Installer Integrity Check—SetupBuilder supports an Archive Fingerprint Verification algorithm. The advantage of this feature is to offer a layer of protection between the creator of an installation file and the recipient. The purpose of fingerprint verification is to help provide detection of tampered, hacked, and incomplete or virus infected installation files. If your installation executable supports fingerprint verification, the recipient knows that the installation file received is the file that was sent. If the installation file has failed the fingerprint verification, the contents are suspect. This option requires that you build a single file setup.exe installation executable or a "Custom (for UAC-aware systems)" Media Type Generator Setting with single .bin volume.
So if you code-sign your executable, the data is 100% safe. The same is true for Web Updates. You code-sign the main executable and all cluster files have their own fingerprint verification.
Friedrich
ccordes
09-16-2019, 05:43 PM
Thanks again.
I went ahead with the web install/update and that is working perfectly. The exes get code-signed and everything else in bin files all of it on a secure web server. Client is happy and is now changing their licensing requirements.
Cheers,
Chris C
linder
09-17-2019, 05:01 AM
Perfect! Thanks for the good news :)
Friedrich
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.