0

I have some (c++ win32 api) code that verifies signature of the files. The same code executed in ActiveX and in custom action of the MSI.

When it run as part of ActiveX the check succeed, but when it is executed as part of custom action of MSI the verification fails.

I have used signtool.exe and checked the files. So without /pa flag the verification fails. I assume, for some reason, when executed in ActiveX the Default Authentication Verification Policy and when executed in custom action of MSI - it uses Windows Driver Verification Policy.

Any ideas how to make it work for MSI ?

Thanks Zaky

Zaky
  • 369
  • 6
  • 21
  • Well, seems it is not related to Windows Driver Policy since other files that are successfully verified in both cases (from MSI and by ActiveX) getting an error when using signtool.exe without PA flag. – Zaky Dec 04 '13 at 22:05
  • The bottom line WinVerifyTrust returns 0x800B0109 error code when checking the file. – Zaky Dec 04 '13 at 23:31

1 Answers1

0

The issue was resolved when I have added certificate at MACHINE level to publishing services.

Zaky
  • 369
  • 6
  • 21
  • What do you mean by add certificate at MACHINE level to publishing services? My problem is vc++ 2010 installation fails because it complains vc_red.cab has invalid digital signature. I used signtool to verify the signature, also ok with /pa flag, no ok otherwise. I installed Microsoft's signing cert but the problem is still there. Am I doing something wrong? The problem occurs on some machines, but on some machines it installs fine. – Eddy Yuansheng Wu Jul 01 '16 at 09:02
  • If I recall correctly, I referred to to the root certificate that was missed under machine account but existed under current user account. On the working machine check the complete chain via Digital Signature property vs. non-working machine. You can export needed certificates from the working machine and import it on non-working under correspond section. I think I had issues with Trusted Root Certificate Authorities. Run mmc and add certificates snap-in. Also pay attention to Countersignature certificates. – Zaky Jul 03 '16 at 22:54
  • I have found the solution, the certificate that comes with the installer expired in 2012. So I downloaded a fresh copy of the installer from Microsoft and it now works fine. – Eddy Yuansheng Wu Jul 04 '16 at 03:30