search

sassoftware / relic

Relic is a service and a tool for adding digital signatures to operating system packages for Linux and Windows
Apache License 2.0
151 stars 41 forks source link

Relic signing produces corrupted Advanced Installer MSI files #33

Closed NinesPsygnosis closed 7 months ago

NinesPsygnosis commented 1 year ago

Issue Overview

When signing an Advanced Installer MSI file with Relic, the resulting signed MSI can no longer be executed. If I use SignTool.exe with the same installer and signing certificate then the MSI is successfully signed and not corrupted. This issue seems to be specific to Advanced Installer MSI files as Relic is able to sign other MSI files, such as those generated with WiX or MSIWrapper.

Reproduction Steps

NOTE: The requisite signing certificate, relic.yml, unsigned MSI and corrupted MSI files are all attached at the end of this report.

Creating a Signing Certificate

I used the following PowerShell script to generate a signing certificate:

$certProperties = @{
    DnsName         = "codesigning.local"
    CertStoreLocation = "Cert:\CurrentUser\My"
    KeyUsage        = "DigitalSignature"
    FriendlyName    = "My Code Signing Certificate"
    NotAfter        = (Get-Date).AddYears(5)
    Type            = "CodeSigningCert"
}

$cert = New-SelfSignedCertificate @certProperties

$password = ConvertTo-SecureString -String "password" -Force -AsPlainText
Export-PfxCertificate -Cert $cert.PSPath -FilePath "signingcert.pfx" -Password $password

Creating an Advanced Installer MSI

  1. Download and install Advanced Installer.
  2. Launch Advanced Installer and select "Installer Project | Simple"
  3. Click "Build"
  4. Save the AIP file to the location you want your MSI file.
  5. The MSI file will now be created.

Signing MSI with Relic

relic.yml

tokens:
  file:
    type: file
    pin: password

keys:
  my_file_key:
    token: file
    keyfile: ./signingcert.pfx
    ispkcs12: true

timestamp:
  urls:
    - http://timestamp.digicert.com

Running Relic

relic sign --config relic.yml --file aitestinstaller.msi --output aitestinstallersigned.msi --key my_file_key

Executing the Installer

When attempting to execute the signed MSI, the following dialog is displayed:

image

Additional Information

Using SignTool.exe

signtool sign /f signingcert.pfx /p password /fd SHA256 /t http://timestamp.digicert.com /v aitestinstaller.msi

Test Files

RelicCorruptedMSITestFiles.zip

arush15june commented 8 months ago

facing the same issue, would be helpful to know what can be done

mtharp commented 7 months ago

FIxed in v7.6.2