View Full Version : Signtool.exe install fails
MorningFlight
11-29-2021, 09:14 AM
Before updating to the latest version of Setup Builder, I fortunately compiled and successfully codesigned my apps on Win 10 with the previous version of SB. I then updated and renewed my maintenance plan. Now the Signtool.exe won't install which of course prevents me from codesigning. Any ideas?5078
linder
11-30-2021, 09:03 AM
Hello,
it's very well possible that your protection software "blocks" the download process. Please try to "whitelist" the SB10.EXE. Perhaps this allows communication with Microsoft server again. BTW, this has absolutely nothing to do with the renewed maintenance plan. Even with an expired maintenance plan or a SetupBuilder trial version you can download the SIGNTOOL.EXE file.
If you can't find out what blocks the download process on your machine, please send an e-mail to support [at] lindersoft [dot] com and we'll provide an alternative direct download link for you.
Friedrich
djmarais@clock.co.za
12-01-2021, 02:04 PM
Hello Friedrich
I also had this happen to me yesterday (30 November 2021). Nothing changed that I am aware of, except of course possible updates to AV and Windows.
I have been on 2019.7 for a while and have successfully done code-signing with it for numerous installs, most recently 24 November or so.
I checked that signtool.exe is new (downloaded the SDK from MS) and reinstalled capicom.dll from your installer, as per previous threads on the forum.
I disabled the AV but this did not change anything.
I can successfully code sign files manually with signtool.exe, using what I imagine would be the parameters SB uses, with or without a time server. This happens with AV on and off.
The only other possibly useful thing I can say is that the failure is pretty quick: From the time the code-signing starts to failure is instantaneous - it looks like it is not even "trying" if this makes sense to you.
Fortunately not a show stopper but it is tedious to do the code signing manually, and I have to leave the archive integrity check off - the manual signing breaks this check, which kind of makes sense.
Regards
Daan Marais
linder
12-01-2021, 04:15 PM
Daan,
manual signing breaks everything !!! Never ever code-sign a setup.exe manually !!!
Perhaps it's your Windows Defender? I would suggest to use the SignTool.exe from the SetupBuilder IDE Download!
Friedrich
djmarais@clock.co.za
12-01-2021, 11:01 PM
Hi Friedrich
Nope, the IDE download works but then still fails to install signtool.exe. I went around the block a couple of times here, excluding folders from Windows Defender and my favourite AV (the one you love, ESET :-)) and disabling both, and nothing would work.
BUT: I then found an old signtool.exe from 15 August, 2016, sized 75776 bytes, copied it and it works.
So: Problem solved, but the mystery lives on.
Regards
Daan
Daan,
manual signing breaks everything !!! Never ever code-sign a setup.exe manually !!!
Perhaps it's your Windows Defender? I would suggest to use the SignTool.exe from the SetupBuilder IDE Download!
Friedrich
Can you expound on what manual signing breaks, and why?
Regards,
Seth
linder
12-08-2021, 03:29 PM
Seth,
it breaks uninstaller code-signing (you'll have an un-signed uninstaller .exe, which is a no-go) and archive integrity will be corrupt.
You have to use the code-signing technology provided by the compiler to correctly code-sign a setup.exe and the internal uninstall.exe.
Friedrich
linder
12-08-2021, 03:34 PM
Daan,
if the "install" fails, then there is still some kind of background protection running (and triggers a false-positive). We are using ESET here on all machines (and I am sure, most of our customers do <g>) and SIGNTOOL.EXE installation from the IDE (which downloads from the Microsoft webserver) still works as expected. Tested today on Win10, Win11 (x64 and ARM64) and Server 2019 & 2022.
Friedrich
Friedrich,
Is there a way to provide all variables required for signing via command line? It looks like some of them could use compiler variables, but not the password.
Alternatively, is there a file or registry location to set the global signing settings?
All of our builds are done through automated build processes, and it would not be reasonable to update either the build agents or each installer script each time we update our certificate.
-Seth
linder
12-10-2021, 09:18 AM
Seth,
I'll check this in (the upcoming) SetupBuilder 2022 and will get back to you!
Friedrich
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.