Just a quick show-and-tell. My first installer built with the new SB. Download and test if you wish. https://www.beachbunnysoftware.com/SB/HelloFriedrich.exe
TL;DR - installer, uninstaller, installed EXE all code-signed with Microsoft Trusted Signing.
This first beta of SB 2025 is already usable and having the new code-signing framework(s) will be a great addition.
I had a couple of teething pains.
The batch file I’ve been using to code-sign with Microsoft has used the /dlib switch to specify the location of a number of binaries (pic below). The current beta of SetupBuilder apparently expects those binaries all to be in the same folder with signtool.exe. Once I moved those files, all worked as expected.
The example is built with both the Enable Installer Integrity Check and the Verify Code-Signed Install at Startup checkboxes marked (re Carl’s and Mark’s prior discussion). No issues. In that code-signing needs to confirm that nothing has been modified, and the integrity check also needs to check that nothing has been modified, I can see that getting both of them to work smoothly together would be a chicken-and-egg wrestling match.
I also used the Microsoft signing within SB, rather than my batch file, to sign the Clarion HELLO.EXE that’s installed by the project. This is a beta of SB, and I wasn’t sure how to use that pre-processor item, but I filled in the minimum required information and it worked.
Currently needed info for the pre-processor. Note that I did not specify a timestamp server. It picked up the one I have specified in Tools/Options in the IDE.
Thanks for your post, It gave me confidence that the problem I was having was fixable.
BTW, I’m unclear how to get to some of the screens you posted, can you please add directions how to get to them.
I just now got SetupBuilder 2025 working for Trusted Signing as well.
No matter what I tried, it was failing with
Compiler error GEN1053: Code signing process failed. Error Code: 1
I eventually found my mistake on
SetupBuilder2025 > Tools > Options > Tab[ Code-Signing]
Global SHA-2 Timestamp Server (recommended)
I made the mistake of typing in the URL vs. using a drop down
and of course I had a typo…
Once I fixed that, then all my other changes suddenly worked
I do want to mention that Friedrich put in a fair bit of effort to get me working as well, but I had to cut his efforts short as I had to be somewhere else.
As Jane already metionded there is an assumption in SetupBuilder 2025 11.1.8339
that signtool and the /DLIB files are all in one folder. This means you’ll need to move some files around as the nuget or installs will create two separate trees of folders.
TIP: Part of Friedrich had me do was to create a new project
and Project > Settings > Tab[ Digital Signature]
move the radio button to Digital Signature
Then compile that new project
I guess it doesn’t even need files
The compile is really fast and simple.
Once you have that working, then you can go back to your production projects and work on them.
I found “General Information” in
Project > Settings… > Tab[Advanced]
I found “Preprocessor: Code-Sign Application”
It’s the Compiler Directive “#code-sign application”
I found it in the script of another project
Like a lot of us, I juggle so many different tasks, that it often takes me a bit to re-learn what I once knew. Especially when it’s something that I configured well over a decade ago, and I haven’t had a need to touch.
So asked where to find the screens as I wasn’t just finding them in 10 minutes. Part of my problem was I had a simple project open, that didn’t have a #code-sign in it, just the project setting to sign the installer and uninstaller.
I find it’s usually helpful to explain how to get to a window instead of just assuming folks already know. It’s even been known to help me get back to a spot I’ve already found
Sorry about that, Mark. Actually, my post was a quickie including some screen shots that I’d sent Friedrich. And I had full confidence that he would know what they were
That particular function is used to code-sign one’s own files that are going into the installer, and is conceptually separate from the code-signing of the installer itself and the uninstaller.
The code-signing is typically transitory (it code-signs a copy and sticks that into the installer), rather than modifying the actual file(s) in your file system. Although there’s a checkbox to override that behavior.
I got the code-signing of the installer and uninstaller working once I had sorted out the signtool folder. But the preprocessor code-sign directive window didn’t make sense to me, because it had only fields relevant to using a PFX. But by experimenting I found that selecting the file to be signed and giving it a descriptive name were all that was required.
When I wrote the post I deleted and reinserted the screen shot. It was supposed to go a couple of paragraphs higher but I was too tired to edit the post. That’s my excuse, and I’m sticking to it.
Anyway, in the future I’ll try to remind myself that my Vulcan mind-meld usually doesn’t work.
