Background
I have a WiX/Burn installation bundle which, among other things, installs the ReportViewer 2012 Runtime. When run on a Windows 7 or later machine, it works fine. On XP (SP3) or Vista (SP1) it fails.
Now, checking the download page for the ReportViewer redistributable, I do notice it says it requires Vista SP2 or higher. Normally I would accept this, but a)I think this has recently changed, and b)downloading and manually installing this redistributable works. It's possible there are parts that do not work on XP/Vista but for my intents and purposes it installs and runs quite well despite their claims.
Problem
Examining the installation log file explains the digital signature verification failed. So I manually download the redistributable package onto the Windows XP machine and examine its signature. The signature is there, but the timestamp reports "Not available". Hitting Details also tells me the signing time is "Not available". The file itself is signed by an expired certificate, so naturally verification fails without this timestamp.
However, if I download the same file to a Windows 7 machine, the timestamp is present. Hitting Details shows me the countersignature, verification works, and installation proceeds correctly.
What I've Tried
I have installed a number of different versions of the "Update for Root Certificates" to no avail, including the latest. If this is indeed the solution, please tell me which one I need.
I have followed the certificate chain on the countersignature and it ends at "Microsoft Root Certificate Authority 2010". This root certificate appears to be installed in the XP machine. The only thing I can see is the "2011" version of this certificate is also in the "Third-Party Root Certification Authorities" store, while the 2010 is not. I do not know if this is the cause of the problem or normal.
I may eventually resort to disabling signature verification and using hash-based verification of the payload. However before doing this I would like to know if I have missed something obvious.
My Question
Is there an update to download or a step that can be taken by "normal" users which will allow the timestamp/countersignature to be recognized in XP/Vista? "Normal" users here means someone who is not very computer-literate; I am not referring to administrator rights.
It seems that there are two timestamp countersignature types that can be used for Windows code signing (Authenticode):
V1
in the Version field (PKCS#7 version?) of the countersignature propertiesV2
I have not found any documentation that states this explicitly, but through testing it seems that Windows XP (SP3, with all updates installed) only supports timestamps with version V1
. Timestamps with version V2
result in the "not available" status. Of course, the version numbers might just correlate with the results -- there is possibly another aspect to the timestamp that causes it to be ignored.
The ReportViewer MSI file that is currently available has a V2
timestamp. However, the timestamp was also made in July 2014, after this question was posted.
More background:
The Windows SDK signtool
command supports two options (to the sign
and timestamp
sub-commands) to generate the two different timestamp types:
/t <timestamp server URL>
: results in V1
/tr <RFC 3161 timestamp server URL>
: results in V2
The signtool
documentation for /tr
states:
Windows Vista and earlier: This flag is not supported.
However, it seems unclear (due to the way that similar statements are used on other options) whether this applies to the target system or the system that signtool
is running on.
V1
timestamp:
signtool.exe sign /f cert.pfx /p %passphrase% /t http://timestamp.comodoca.com/authenticode /d "Test" test.exe
V2
timestamp:
signtool.exe sign /f cert.pfx /p %passphrase% /tr http://timestamp.comodoca.com/rfc3161 /d "Test" test-rfc3161.exe
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With