I got error about /as option when dual sign SHA2 and SHA1
signtool sign /v /n "name" /sha1 "sha1 hash" /t http://timestamp.verisign.com/scripts/timstamp.dll my.exe
signtool sign /v /n "name" /sha1 "sha1 hash for sha256" /as /fd sha256 /tr http://timestamp.geotrust.com/tsa /td sha256 my.exe
SignTool Error: Invalid option: /as
I guess if my signtool.exe version is not support /as option? I used signtool.exe version is 6.1.7600.16385 BTY, i can sign SHA2 successfully without /as option.
I can dual sign files successful while i use the higher version 6.2.9200.20527 of signtool. The signtool is belong to windows sdk 8 https://dev.windows.com/en-us/downloads/windows-8-sdk. I guess that the more higher version above of windows 8 sdk also can support /as option too.
You need Windows 8/10, it's impossible at least for now under Windows 7, which is really strange. Even if you will use newer signtool binaries under Windows 7 (for example from SDK 10) still it will be not possible to use /as switch.
I guess the actual reason for the issue is this: signtool.exe is linked with mssign32.dll and wintrust.dll. These dlls are found under %WinDir%\system32 and on Windows 7 don't seem to support dual signing. WinSDK 8.x comes with its own versions of these dlls in the same folder as the signtool.exe. Here dual signing works! With older SDK versions it doesn't. I just installed the WinSDK 10 on my Windows 7 and again it does no longer work here as this SDK does no longer come with its own versions of the dlls mentioned above. I guess this is why others think it works under Windows 8.x and higher only as here the mssign32.dll is newer...
Related
I have a previous laptop where my c# code is connected to oracle database and had no problem when I installed there the Oracle Universal Installer.
But then it crashes and now I am transferring my project to a different laptop. Now when I tried to run my codes on the new laptop, it has now error such as below:
System.TypeInitializationException: The type initializer for 'Oracle.DataAccess.Client.OracleConnection' threw an exception. ---> Oracle.DataAccess.Client.oracleException: The provider is not compatible with the version of Oracle client
So what I did is I try to install the Oracle Universal Installer (the same installer I used from my previous laptop) ODAC 12.2.0.1.1 from https://www.oracle.com/database/technologies/dotnet-odacdev-downloads.html
But installation never ends. It stuck on Step 7 of 10. Please see screenshot here https://imgur.com/a/DYgNcOH
Please help!!!
Not clear what the problem could be, there are several issues with the Oracle Installer.
Perhaps you have installed more than one Oracle Client. You should remove any existing clients entirely before you install one fresh Client. See How to uninstall / completely remove Oracle 11g (client)? for help. You should not mix installations with Oracle Universal installer and ODAC, use only one type. I can be rather difficult to make them working together.
Before you launch the Oracle Universal installer clear TEMP files:
FOR /D %D in ( %TEMP%\deinstall* ) DO rmdir /S /Q %%D
FOR /D %D in ( %TEMP%\OraInstall* ) DO rmdir /S /Q %D
FOR /D %D in ( %TEMP%\CVU* ) DO rmdir /S /Q %D
Ensure you started the Oracle Universal Installer as Administrator. Ensure you install the same architecture (i.e. 32-bit vs. 64-bit) as your application.
Due to Bug 17548895: CUSTOM INSTALL FAILS TO INCLUDE ORACLSCE12.DLL you have to include component "Oracle Net" in your installation if you run "Custom Install"
Oracle 12.1 and higher does not register the Oracle Data Provider for .NET in the GAC anymore, see Doc ID 2272241.1. See SSMA unable to find specified provider for solution.
I had the same issue. I had to disable antivirus system(Avast). Then it worked OK.
Is this MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG flag used for code signing supported on Windows XP, Windows Vista and Windows 7?
When I am using this flag in CertVerifyCertificateChainPolicy function on above operating systems, I am getting
CERT_E_UNTRUSTEDROOT
error.
It is working fine for me on Windows 8 and above though.
According to Microsoft
The dwFlags member of the CERT_CHAIN_POLICY_PARA structure pointed to by the pPolicyStatus parameter can contain the MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG flag, which causes this function to also check for the Microsoft application root "Microsoft Root Certificate Authority 2011".
So make sure those older systems have "Microsoft Root Certificate Authority 2011" package installed. For more info, see http://support.microsoft.com/kb/931125
To Manually install the certificates
Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe
Extract the files using the command rootsupd.exe /c /t:C:\temp\extroot
from c:\temp\extroot run the following 4 commands (from an elevated prompt)
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
Being fully aware of the depreciation of SHA1 and having access to an SHA256 certificate (issued by Comodo) which I have installed to my system and am using to code-sign project executables (in this case, the project executable is an INNO compiled setup file), I am continuing to receive complaints from users about seeing this warning message :
This is the command that I am using to code sign with (I have added the path to SignTool.exe to the system Path variable so I do not qualify it completely when I call it; Also, the command is in a .bat file):
SignTool.exe sign /v /a /fd sha256 /du "http://www.foo.bar" %1
My first guess is that I am not using the SignTool sign command correctly. I know that the certificate is installed because I have seen it when I looked with the Certmgr.msc. More evidence that the code sign is successful :
Why is this still happening?
I'm not sure what the problem is specifically, but you can verify the signature after signing using SignTool.exe
I use it with the following arguments:
signtool.exe verify /pa /v [pathToSignedFile]
I am using the Windows postscript print driver that is shipped with ghostscript (lib/ghostpdf.inf) to generate postscript files from print jobs.
However the postscript driver is not digitally signed, so Windows 8 and Windows Server 2012 won't allow installing it without booting into the "allow unsigned drivers"-mode.
Do you know if there is any signed version out there to be used with the latest Windows versions?
If thats not the case, I am fine compiling and signing it myself, however I was not able to find the source code for the postscript print driver within the git repo available at http://git.ghostscript.com/ghostpdl.git.
May I've just overseen it since I am not familiar with building drivers.
Can one give me a hint where I can find the postscript driver files to compile it myself?
EDIT: How does the .INF file tell windows where the driver binaries are located? I've looked into the "ClassGUID" however its the same for all drivers and the registry entry says something about C:\Windows\System32\ntprint.dll. I don't think this is important for the problem, is it?
To sign "the ghostscript driver" you just have to sign the INF-file that comes with Ghostscript.
There's an article on technet describing the steps required to do so.
The steps are:
1) Create/acquire a certificate
2) Ensure that your computer trusts the certificate (place it in your cert store if required)
3) Download and install the Windows Driver Kit (WDK)
4) Change the CatalogFile=oemprint.cat in the INF file to ghostpdf.cat
5) Change the DriverVer=01/02/2007,1.0.0.1 to DriverVer=01/01/2013,1.0.0.1 (maybe you need some other date, you'll see that in the next step)
6) Use the Inf2Cat tool to create a cat file (was at C:\Program Files (x86)\Windows Kits\8.0\bin\x86 for me):
NOTE
Use cmd.exe not powershell, as powershell gives Parameter format not correct. error all the time
Command:
inf2cat.exe /driver:c:\path\to\folder\whereCatFileIsIn /os:7_X86,7_X64,8_X86,8_X64[,other OS you'd like to support]
7) Sign the cat file using the signtool (Same directory as the Inf2Cat tool)
Command:
SignTool.exe sign /f "C:Path\to\my.pfx" /t http://timestamp.verisign.com/scripts/timestamp.dll "C:\Path\To\ghostpdf.cat"
(See the signtool docs for more informations about the available paramters)
.inf files are not drivers, they are just text files with some installer information. There is no signed version of this, nor do you need it, you can use the output of any PostScript driver with Ghostscript.
You can't compile a .inf file, because there is nothing to compile, I have no idea how you go about signing such a thing in the latest versions of Windows, but if you want to give it a try you can open the .inf file with a text editor.
Q: Do you know if there is any signed version out there to be used with the latest Windows versions?
* Workaround *
A: For my Postscript driver issue I re-used the already signed driver from freeware PDF generator PDFil Writer.
https://www.pdfill.com/freewriter.html
In my case, I am a Sybase Powerbuilder developer, and my application depends on the Ghostscript Postscript driver.
I hope this helps.
I have developed a virtual printer driver in vc++.net and it is working fine in 32 bit environment. But while install it in win7 64 bit, it throws an error "Operation could not be completed (error 0x800f0214)" at the line
rundll32 printui.dll,PrintUIEntry /if /b "printername" /f "printer.inf" /r "printer port" /m "printer model" /hx64
Note: printerdriver.dll is compiled in 64bit.
Could you please help me to sort out this issue?
is your INF file correct?? do verify it using INFGate.exe and there should be no errors reported by the tool.
If the INF file is correct, then it must be a signature issue, please note that signing is required for windows64 bit drivers, but not for 32 bit drivers.
In order to sign your driver, first make a cat file using inf2cat.exe and then use sign tool to sign the catalogue file... all these tools come with winddk...
have a look at this link for details on signing: http://msdn.microsoft.com/en-us/library/windows/hardware/ff544865(v=vs.85).aspx