Unable to sign bootstrapper executable (setup.exe) after embeding manifest

3

We are using Nant to prepare setup of our software using Clickonce.

Using signtool to sign dll(s) and exe(s).

signtool command : signtool sign /f ${certFile} /p ${certFilePwd} {path of setup.exe}

Using Mt.exe to embed manifests in exe files.

Mt command : mt -manifest {manifest file} -outputresource:{filepath};#1

We have two exe files. One is our app.exe and second is setup.exe(bootstrapper created by clickonce)

There is no issue with app.exe in signing after embedding manifests.

But signing of setup.exe after embedding manifest is giving below error:

SignTool Error: SignedCode::Sign returned error: 0x80070057. The parameter is incorrect.

manifest file contains:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
    <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
        <ms_asmv2:security>
            <ms_asmv2:requestedPrivileges>
                <ms_asmv2:requestedExecutionLevel level="asInvoker" 
                           uiAccess="false"></ms_asmv2:requestedExecutionLevel>
            </ms_asmv2:requestedPrivileges>
        </ms_asmv2:security>
    </ms_asmv2:trustInfo>
</assembly>

No error if I do sign before embedding manifest but it cant work as any file needs resigning after changes.

I also tried following steps:

  1. sign setup.exe
  2. embed manifests
  3. resign setup.exe (same error during this step as above)

Does any have solution/workaround of this problem?

clickonce
signing
bootstrapper
signtool
mt
asked on Stack Overflow Feb 21, 2013 by Riken • edited Sep 23, 2014 by Stein ├ůsmul

2 Answers

1

I can't find a source to cite, but I ran into a similar problem a while ago and you can't sign a setup.exe that has been previously signed. You can generate your bootstrapper from scratch (see MSDN), apply your manifest and then sign it (for the first time!) and it should work.

answered on Stack Overflow Nov 8, 2013 by dee-see
0

Conclusion

Sometimes, an obfuscator tool produced an un-signable file. meaning, the signtool was returning error 0x80070057 for anything I tried.

I've also noticed that the Version and Language properties are blank on the 'invalid' file see first DLL is valid while the second one is not

So, my conclusion is that it's an issue with the file itself and not with the sign tool or sign server.

How I got to this conclusion

I tried all the answers suggested:

I tried with multiple sign servers:

answered on Stack Overflow Jan 2, 2020 by itsho • edited Jan 2, 2020 by itsho

User contributions licensed under CC BY-SA 3.0