Friedrich seems to have enjoyed his nap
and has been back - posting on the newsgroups and on his forum.
Latest post is about a code-signing technology of which I hadn’t heard - Microsoft Trusted Code Signing. Apparently starts at $10 per month and bypasses Sectigo and the other rapacious barons of the authenticode universe.
My head hurts.
I’m too old for this.
And am very grateful for a Millennial coworker who patiently spent several hours with me as we tried to figure out Entra users and external users and roles, meaningless (to normal people) error messages, user interface (when do you select, when do you double-click), and other bits and pieces.
To sign your SetupBuilder Installer
where [CodeSignFolder] is the absolute path to the CallCodeSign.cmd file
the .cmd expects to have the other tools installed below it.
Glad you got it working!
My unfamiliarity with Azure, what’s called what, and what’s put where resulted in several head-bangings. But once it’s set up, it’s been working fine and I just add the batch file to the after-build stuff in the IDE so it gets signed each time I rebuild an EXE (which is what I previously did with the purchased PFX).
@Lindersoft I’m so happy to hear that the initial release of SetupBuilder 2025 is right around the corner.
I had not thought about the uninstaller. I’m not too concerned about it, but I’m curious if there a way for me to sign the uninstaller with the pre-2025 version of SetupBuilder (using Microsofts Trusted Signing)
With respect to the #run:
I found that I was required to use an absolute path for the command
(which was not in a folder listed in my PATH environment variable)
I also was required to add the extension (.cmd in this case)
I thought that just having the Default Directory would be enough to point the folder in question,
but that did not help either.
I have yet to figure out how to successfully pass a list of parameters where each parameter is a file enclosed in double quotes, where the values and are built using variables
ex: “[Var1]\This File” “[Var2]\That File” “[Var2][Var3]\The other file”
unfortunately, it is not possible to sign the uninstaller with Trusted Signing in any pre-2025 version. Uninstaller signing is a very complex task. The uninstaller (and uninstall script) is generated on-the-fly during the INSTALLATION process. That means, the uninstall.exe is not even there when you COMPILE the setup, so there is nothing to sign. The compiler makes use of a “secret method” (I have developed it quite a few years ago when InstallShield tried to take-over SetupBuilder) to let the installer embed the code-signature into the uninstaller at installer runtime. When you manually code-sign an setup.exe then this method does not work.
Carlos - thank you for pointing out the changes you can make in
SetupBuilder > Project > Settings > Tab[Advanced]
I can confirm that solved the “archive integrity check failed.” problem I just reported.
the compiler does some magic code-signing things when you support uninstall and archive integrity verification. SetupBuilder 2025 also does this when using Trusted Signing. In other words, in SetupBuilder 2025 you’ll have a perfectly valid code-signed uninstall.exe and archive integrity verification also works fine when adding a Trusted Signing signature.
a first SetupBuilder 2025 pre-release is available to selected users. The aim of this first pre-release is to test the new built-in (Microsoft / Azure) Trusted Signing support.
This build already supports Windows 11, Windows Server 2025 and ARM64 enhancements. Support for Clarion 12 is built-in, but still disabled.
I am still working on the updated documentation. Without documentation, some of the new features are not accessible.
HOW TO USE TRUSTED SIGNING:
In SetupBuilder 2025, code-signing configuration is done in “Tools | Options… | Code-Signing tab”
In the “Microsoft Code-Signing Tool” entry field, please select the “Trusted Signing” compatible SignTool.exe (with all its dependencies). In the next SB2025 pre-release we’ll have a redistributable available to install it.
“Software Publisher Certificate” supports “Signing Templates” now. This gives us flexibility and we can add all kind of (future) signing methods.
“STPL” is the abbreviation for “Signing Template”. Please use the template “STPL_011://” for Microsoft Trusted Signing. Append the fully qualified path to your “metadata.json” for your Trusted Signing account.
Select a SHA-2 timestamp server in the “Global SHA-2 Timestamp Server” entry field. I would suggest to use http://timestamp.acs.microsoft.com
Select the “Global SHA-2 only” signing type.
That’s it. This will enable Trusted Signing for the install, uninstall, “Installer Integrity Check” and “#code-sign application…” directive.
The compiler result should look like this after the compilation process:
If you have a Trusted Signing account and would like to test the SetupBuilder 2025 pre-release, please send an e-mail to [email protected]. An active (not expired) maintenance plan is required.
BTW, we’ll make new SetupBuilder 2025 pre-releases and builds available on a weekly basis.