• AnyStream is having some DRM issues currently, Netflix is not available in HD for the time being.
    Situations like this will always happen with AnyStream: streaming providers are continuously improving their countermeasures while we try to catch up, it's an ongoing cat-and-mouse game. Please be patient and don't flood our support or forum with requests, we are working on it 24/7 to get it resolved. Thank you.

Certificate used for signing has expired ...

B

Br_nar

Member
Thread Starter
Joined
Dec 21, 2008
Messages
5
Likes
0
Dear,

the certificate which is used to add a digital signature to the installer, as well as the individual files (driver, catalog, and maybe others as well) has expired.

The certificate used is the 'Elaborate Bytes AG' certificate was only valid till 07/12/2008. I've checked this on both the production release v5.4.1.1, as well as the beta release v5.4.1.3, and both have the same problem. Other software packages like GameJackal Pro have been signed with the certificate 'SlySoft Inc.' certificate which is valid until 30/11/2010.

I'm currently expiriencing problems with unattended setup of Virtual CloneDrive, because the certificate check fails during the driver installation. As a workaround I just figured out that I can rollback the time to somewhere before 07/12/2008, do the installation, and sync the time afterwards.

A more permanent/professional solution would be to have another package which has correct digital signatures. Can you please use valid certificates for all future releases, and is it perhaps possible to post a more recent version of the current production version? Since I'm using this great software in a production environment, I prefer stable releases, instead of beta versions.

Thx in advance, Br_nar
 
Br_nar said:
Dear,

the certificate which is used to add a digital signature to the installer, as well as the individual files (driver, catalog, and maybe others as well) has expired.

The certificate used is the 'Elaborate Bytes AG' certificate was only valid till 07/12/2008. I've checked this on both the production release v5.4.1.1, as well as the beta release v5.4.1.3, and both have the same problem. Other software packages like GameJackal Pro have been signed with the certificate 'SlySoft Inc.' certificate which is valid until 30/11/2010.

I'm currently expiriencing problems with unattended setup of Virtual CloneDrive, because the certificate check fails during the driver installation. As a workaround I just figured out that I can rollback the time to somewhere before 07/12/2008, do the installation, and sync the time afterwards.

A more permanent/professional solution would be to have another package which has correct digital signatures. Can you please use valid certificates for all future releases, and is it perhaps possible to post a more recent version of the current production version? Since I'm using this great software in a production environment, I prefer stable releases, instead of beta versions.

Thx in advance, Br_nar
Click to expand...
Shouldn't matter, as the the signing time is important, not the installation time, as the certificate is counter signed.

EDIT: VCD isn't WHQL signed, so you'll aways see a warning under XP.
 
Dear Br_nar.

Br_nar said:
The certificate used is the 'Elaborate Bytes AG' certificate was only valid till 07/12/2008. I've checked this on both the production release v5.4.1.1, as well as the beta release v5.4.1.3, and both have the same problem.
Click to expand...

Thank you for the notification. Yes, Elby's code signing certificate expired and is being renewed. But both versions were signed when the certificate was still valid. The signature includes a 3rd-party-signed timestamp to prove that and keep signed installers from expiring.

Is this signed timestamp not recognized by your system?

Greetings,
Joe
 
Thx for your quick responses.

I'm trying to install on x86 (32-bit) Vista machines, and the install gives me problems at the point the driver is being installed.
The actual install is executed during an Operating System Deployment (OSD) Task Sequence, launched from Configuration Manager 2007.

I'm still investigating, because it seems to be related to which certificates I import at which certificate stores, and under which account I'm doing the installation (admin vs system-accounts). CertUtil.exe (which I use to import the certificates silently) behaves differently when launched from a regular user account or from the system account (which is the default for OSD Task Sequences).

My apologies for me concluding too quickly that the problem was related to the expired certificate. However the information you guys gave me in your responses are very helpful to understand what's going on. When I can figure this out completely, I will post my findings with the community, so that others have less difficulties with their unattended setups.

Kind regards, Br_nar
 
Installation problem caused by a bug(?) in windows

The problem I was experiencing was related to the following strange behaviour of windows (bug????):

After importing the certificates, the driver could not be installed unattended. It seemed like the certificates were not imported properly. After manually
validating the certificate chain (not changing anything), the driver suddenly installed successfully. As a workaround/fix, I'm now executing the following steps in my silent installation script:
  1. import certificates using certutil
  2. force certificate validation using certutil. Apparently some internal thing needs to be refreshed within Windows Vista.
  3. Launch Silent install of Virtual CloneDrive
My apologies for blaming the expired certificate. It has nothing to do with the problem, although it does require me to add an additional check in my silent installation script. For those interested, please find the script I've created + explanation in my next post.

Kind regards,
Br_nar
 
Detailed steps for completely unattended setup of Virtual CloneDrive

Here are the detailed steps for a completely unattended setup of Virtual CloneDrive:
  1. Extract and save the digital signatures to files as follows:
    • Right-click SetupVirtualCloneDrive5411.exe and open up the properties
    • Click the 'Digital Signatures' tab
    • Select the Elby signature and press Details - View Certificate
      • First certificate Issued to 'Elaborate Bytes AG'
        Click the Details tab - Copy to file - Base-64 encoded -> 'Elaborate Bytes AG.cer'
        Return to the Elby certificate and click 'Certification Path'
        Select the 'GlobalSign ObjectSign CA' certificate and press 'View Certificate'
      • Second certificate Issued to 'GlobalSign ObjectSign CA'
        Click the Details tab - Copy to file - Base-64 encoded -> 'GlobalSign ObjectSign CA.cer'
        Return to the GlobalSign ObjectSign CA certificate and click 'Certification Path'
        Select the 'GlobalSign Primary Object Publishing CA' certificate and press 'View Certificate'
      • Third certificate Issued to 'GlobalSign Primary Object Publishing CA'
        Click the Details tab - Copy to file - Base-64 encoded -> 'GlobalSign Primary Object Publishing CA.cer'
        There is no need to save the GlobalSign certificate, since this is already a Trusted Root certificate on Windows Vista
  2. Import the Elby certificate into the Local Machine 'Trusted Publishers' store
  3. Import the 'GlobalSign ObjectSign CA' and 'GlobalSign Primary Object Publishing CA' certificates into the Local Machine 'Intermediate Certification Authorities'
  4. Force a validation of the certificate chain of the Elby certificate. This step is probably not required under normal circumstances. However if you are using ConfigMgr OSD Task Sequences, you should execute this (to fix some bug??)
  5. Launch the actual installation with the /S (must be uppercase) parameter, like this:
    SetupVirtualCloneDrive5411.exe /S
  6. Remove the previously imported certificates if you want.
This is my final installation script (batch file):

Code: 
@echo off
rem ********************************************************
rem Import Certificates into the corresponding store
rem ********************************************************
certutil -enterprise -addstore TrustedPublisher "%~dp0Elaborate Bytes AG.cer" >nul
certutil -enterprise -addstore ca "%~dp0GlobalSign ObjectSign CA.cer" >nul
certutil -enterprise -addstore ca "%~dp0GlobalSign Primary Object Publishing CA.cer" >nul

rem ********************************************************
rem Force Windows to reload Certificates
rem ********************************************************
certutil -enterprise -verify "%~dp0Elaborate Bytes AG.cer"|find /v "dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID"|find "dwErrorStatus = CERT_"
if not errorlevel 1 (
  echo:
  echo The certificate cannot be imported and/or validated correctly.
  echo Aborting setup, because the driver would not install unattendedly.
  exit /b 1
)
echo The required certificates were imported successfully and passed all checks.

rem ********************************************************
rem Run a silent setup and store the return code
rem ********************************************************
echo Launching Silent 'Virtual CloneDrive' Setup...
start /wait "silent Install" "%~dp0SetupVirtualCloneDrive5411.exe" /S
set /A retcode=%errorlevel%
echo   Setup exited with return code %retcode%

rem ********************************************************
rem Remove the previously imported certificates
rem ********************************************************
certutil -enterprise -delstore TrustedPublisher 0100000000010f5c98b8f5 >nul
certutil -enterprise -delstore ca 04000000000108d9612448 >nul
certutil -enterprise -delstore ca 04000000000108d9611cd6 >nul

rem ********************************************************
rem Exit with the return code from the actual Setup
rem ********************************************************
exit /b %retcode%
The script assumes that the three .cer files, the .exe and the above .cmd are in the same folder.

Kind regards,
Br_nar
 
You must log in or register to reply here.
Back
Top