Announcement

Collapse
No announcement yet.

Signed installer is not signed after distribution

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Signed installer is not signed after distribution

    Hi all,

    I'm just testing out using a signed installer using a newly purchased certificate.

    I have a test SUF project with no real code, just a couple of files.

    I add in the details in the 'code signing' tab of the Build Settings dialog and then build the installer.

    On my Development system
    --------------------------
    When I run the installer in my development system (Windows 7 Enterprise x86) I get the Windows UAC dialog displayed showing the the installer is signed by my company. If I show the certificate details etc then all looks fine. :yes

    On another system
    ------------------
    I then copy the 'setup.exe' file across to another system (Windows 7 Professional x64) as if this was a customer system where our software is going to be installed.

    But when I run the installer the UAC dialog that comes up saying that the "Publisher is unknown".

    What have I done wrong?

    I'm using SUF 9.5.1.0.

    My 'signtool.exe' is from the Windows 8.1 SDK (v6.3.9600.17298).

    Cheers,
    Dave
    Tags: code signing, uac
  • #2
    Solved!

    So I've been able to resolve this issue (with a fair bit of help from the support folks at Comodo) and thought I'd share the really relevant bits here. It might help someone else.

    The basic problem was the certificate file (.p12 or .pfx) was incorrect. It should contain a chain of certificates from my company one (at the 'bottom' of the chain) up to BUT NOT including the very top level - which appears to be the 'trusted root certificate authority' - in my case Comodo.

    I was told to delete the 'trusted root certificate authority' for COmodo from my system's certificate store and then export my certificate with all certs going up the chain. That should build my p12/pfx file correctly.

    However, Windows 7 Enterprise (my development system) has a policy which says - if you can't find a 'trusted root certificate authority' certificate, go out to the Windows Update and automatically (re)install it.

    So having deleted it, every time I built (or maybe ran) my installer the cert got added to my system again!

    So what I've now done is to:
    - enable the relevant policy (instructions below this post) which prevents Windows from auto updating such certificates
    - delete the relevant certificate
    - export my company certificate to create the pfx file

    Now I can build the install file and when I run it I get the Windows UAC dialog screen.

    I hope this helps someone else.

    Cheers,
    Dave

    Policy edit instructions.

    Do the following steps to turn off Automatic Root Certificates Update:
    -----------------------------------------------------------------------------------------
    1. Click Start, then click Run.
    2. Type gpedit.msc, then click Ok.
    3. If the User Account Control (UAC) dialog box appears, confirm that it displays the desired action. Click Continue.
    If the UAC dialog box does not appear, proceed with the Local Group Policy Editor dialog box.
    4. Double click Adminisrative Templates under Computer Configuration.
    Double click System.
    Double click Internet Communication Management
    Double click Internet Communication Settings.
    5. Double click Turn off Automatic Root Certificates Update.
    Click Enabled.
    Then, click Ok.
    6. Close the Local Group Policy Editor dialog box.

    Comment

    Previous template Next
    Working...
    X