Use jsign instead of SignTool as an alternative option for code-signing

jefc

jefc

Member
Hello,

Is there a possibility to sign both the generated package and bootstraps with the `jsign` tool instead of `SignTool`?
I have tried to do it by modifying the `SignTool` executable path and arguments to use a `jsign` command, but Paquet Builder does not seem to accept it.

Thanks for your help.
 
What steps did you follow? If you select jsign as the signtool in the Environment Options, PB will use it. You can then choose your custom commands.
 
OK, thanks, if I configure it through the Environment Options, I can get it to work.

But is there a way to also make it work using the [SignToolCmd] section from the directive file? I cannot get it to work using the syntax documented in https://www.installpackbuilder.com/help/automation-command-line/directives/ : if I use 0=..., the command-line compiler fails with an error stating that "0" is an invalid argument for jsign. If I remove the "0=" and just leave the arguments (with or without the path to the executable in the command), the command-line compiler does not show an error but does not sign the executable. Am I missing something?
 
There is a bug confirmed in this section that we will fix in next update.
Remove the 0=
For instance, the following instructions work:
Code: 
[SignToolCmd]
sign /v /d test /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /sha1 HASHSTRING /sm {$PBOUTPUTFILE$}
 
Thanks for your feedback.

I did several tests, but even if there is no longer an error after removing the `0=` in the directive file, it looks like the signing command is never called unless it is also defined in the .pbpx file, which we would like to avoid.

Here are the parameters we set in the directive file for signing:
INI: 
[General]
...
DigitalSign=1
SignCertifLocation=3
...

[SignToolCmd]
sign --storetype AWS --keystore eu-west-1 --alias test-vst-code-signing --certfile C:\local\signtools\testCodeSigningCert.crt --tsaurl http://timestamp.globalsign.com/tsa/r45standard --tsmode RFC3161 --tsretries 3 --tsretrywait 10 {$PBOUTPUTFILE$}

When the sign tool command is set only in the .pbd file, the `Digital Signatures` tab of the installer executable is empty (i.e. nothing is listed in `Embedded Signatures`).

Is there something else to configure so that defining the path to `jsign.exe` in the PB environment and defining the signing command parameters in the .pbd file is enough to sign without requiring to add the signing command parameters also in the .pbpx file?
 
You must log in or register to reply here.
Back
Top