View Single Post
Old 20th July 2016, 17:51   #5
Theresias
Junior Member
 
Join Date: Jun 2006
Posts: 48
To make sure you're application/installer is properly working with all windows versions, you should actually double sign your EXEs.

I ended up solving this by using the !finalize command a few times...

PHP Code:
!define OutFileSignSHA1   ".\CodeSign\SignTool sign /f .\CodeSign\${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha1   /t  http://timestamp.comodoca.com /v"
!define OutFileSignSHA256 ".\CodeSign\SignTool sign /f .\CodeSign\${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha256 /tr http://timestamp.comodoca.com?td=sha256 /td sha256 /as /v" 
...and the actual !finalize commands are...

PHP Code:
  !finalize "${OutFileSignSHA1} .\${OutputFileName}"                  # CodeSigning with SHA1/AuthentiCode
  
!finalize "PING -n 5 127.0.0.1 >nul"                                # Delay Next Step to ensure File isn't locked by previous Process
  
!finalize "${OutFileSignSHA256} .\${OutputFileName}"                # CodeSigning with SHA256/RFC 3161 
You'll probably notice the PING command in between, one of the issues I have is that the file may still be locked by a Windows process (virus scan, indexing etc.) once it got signed, the PING adds a consistent delay before doing the 2nd signing.

Please note, not all time stamping servers support RFC 3161, which you need to properly sign the SHA256 where SHA1 was good with AuthentiCode time stamps...
Theresias is offline   Reply With Quote