Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relic signing produces corrupted Advanced Installer MSI files #33

Closed
NinesPsygnosis opened this issue Aug 30, 2023 · 2 comments
Closed

Comments

@NinesPsygnosis
Copy link

Issue Overview

When signing an Advanced Installer MSI file with Relic, the resulting signed MSI can no longer be executed. If I use SignTool.exe with the same installer and signing certificate then the MSI is successfully signed and not corrupted. This issue seems to be specific to Advanced Installer MSI files as Relic is able to sign other MSI files, such as those generated with WiX or MSIWrapper.

Reproduction Steps

NOTE: The requisite signing certificate, relic.yml, unsigned MSI and corrupted MSI files are all attached at the end of this report.

Creating a Signing Certificate

I used the following PowerShell script to generate a signing certificate:

$certProperties = @{
    DnsName         = "codesigning.local"
    CertStoreLocation = "Cert:\CurrentUser\My"
    KeyUsage        = "DigitalSignature"
    FriendlyName    = "My Code Signing Certificate"
    NotAfter        = (Get-Date).AddYears(5)
    Type            = "CodeSigningCert"
}

$cert = New-SelfSignedCertificate @certProperties

$password = ConvertTo-SecureString -String "password" -Force -AsPlainText
Export-PfxCertificate -Cert $cert.PSPath -FilePath "signingcert.pfx" -Password $password

Creating an Advanced Installer MSI

  1. Download and install Advanced Installer.
  2. Launch Advanced Installer and select "Installer Project | Simple"
  3. Click "Build"
  4. Save the AIP file to the location you want your MSI file.
  5. The MSI file will now be created.

Signing MSI with Relic

relic.yml

tokens:
  file:
    type: file
    pin: password

keys:
  my_file_key:
    token: file
    keyfile: ./signingcert.pfx
    ispkcs12: true

timestamp:
  urls:
    - http://timestamp.digicert.com

Running Relic

relic sign --config relic.yml --file aitestinstaller.msi --output aitestinstallersigned.msi --key my_file_key

Executing the Installer

When attempting to execute the signed MSI, the following dialog is displayed:

image

Additional Information

Using SignTool.exe

signtool sign /f signingcert.pfx /p password /fd SHA256 /t http://timestamp.digicert.com /v aitestinstaller.msi

Test Files

RelicCorruptedMSITestFiles.zip

  • relic.yml (Relic Config)
  • signingcert.pfx (Signing Certificate)
  • aitestinstaller.msi (Original MSI File)
  • aitestinstallersigned.msi (Corrupted MSI File)
@arush15june
Copy link

facing the same issue, would be helpful to know what can be done

mtharp added a commit that referenced this issue Feb 5, 2024
Some tools generate version 3 still, which apparently requires that the
field remains zeroed.
@mtharp
Copy link
Contributor

mtharp commented Feb 7, 2024

FIxed in v7.6.2

@mtharp mtharp closed this as completed Feb 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants