Signing (signcode-tf) failed on Windows 7 when multiple hash algorithms are used

[djpereira]

When I try to run build -w under Windows 7, the signcode-tf library fails as you can see below.
Everything works well on Windows 10, which I know calls electron-builder\node_modules\signcode-tf\vendor\windows-10\signtool.exe instead of the signtool.exe under windows-6.

@develar, I know this is more a signcode-tf issue, but when I go to https://www.npmjs.com/package/signcode-tf, it points me to what I believe is the wrong (maybe before fork) source code (https://github.com/kevinsawicki/signcode), so I am a bit confused, again, maybe I'm doing something wrong.

electron-builder v5.12.1
target: Windows.

I uncommented the console.log line so I could see what was happening.

spawning C:\myfolder\node_modules\electron-builder\node_modules\signcode-tf\vendor\windows-6\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f build/win.p12 /d My App /du https://www.myurl.com/ /p PASSWORD C:\myfolder\dist\win-unpacked\My App.exe

spawning C:\myfolder\node_modules\electron-builder\node_modules\signcode-tf\vendor\windows-6\signtool.exe sign /tr http://timestamp.comodoca.com/rfc3161 /f build/win.p12 /fd sha256 /td sha256 /d My App /du https://www.myurl.com/ /as /p PASSWORD C:\myfolder\dist\win-unpacked\My App.exe

Error: Signing failed with 1. SignTool Error: A required function is not present
.
        This error likely means that you are running SignTool on an OS that
        does not support the options you've specified.

    at Error (native)
    at ChildProcess.<anonymous> (C:\myfolder\node_modules\electron-builder\node_modules\signcode-tf\index.js:155:16)
    at emitTwo (events.js:87:13)
    at ChildProcess.emit (events.js:172:7)
    at maybeClose (internal/child_process.js:827:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:211:5)
From previous event:
    at WinPackager.<anonymous> (C:\myfolder
op.dev\node_modules\electron-builder\src\winPackager.ts:132:43)
    at next (native)
From previous event:
    at tsAwaiter (C:\myfolderop.dev\node_mo
dules\electron-builder\src\util\awaiter.ts:10:47)
    at Object.build (C:\myfolderop.dev\node
_modules\electron-builder\src\builder.ts:190:52)
    at Object.<anonymous> (C:\myfolderop.de
v\node_modules\electron-builder\src\build-cli.ts:27:28)
    at Module._compile (module.js:409:26)
    at Object.Module._extensions..js (module.js:416:10)
    at Module.load (module.js:343:32)
    at Function.Module._load (module.js:300:12)
    at Function.Module.runMain (module.js:441:10)
    at startup (node.js:139:18)
    at node.js:968:3

[develar]

I am maintainer of signcode-tf so, it is right place to report bug.

It seems, Windows 7 is not supported to sign — I will check it. Is there any valid reason to use outdated Windows version to sign? Maybe you can migrate to win 10 (or win 8)? (Just ask).

[develar]

Source code of this tool — https://github.com/develar/signcode

[djpereira]

@develar thanks for your quick response. Our build servers are currently using Windows 7, but I can look into upgrading them. Windows 7 extended support ends on January 14, 2020, so I'd expect a lot of corporate users to still run on Windows 7 for a while. Thanks for the link to the source code, I will take a look at it too. Please let me know your findings.

[develar]

Ok, I will fix it tomorrow, we support Windows server 2008 R2, so, Windows 7 SP1 should be also supported.

[djpereira]

@develar this particular issue occurs in Windows 7 when you try to use the /as option with Signtool.exe that lives under the windows-6 folder. In other words, when you are trying to sign using more than one algorithm, which is the default behavior.

By the way, I think you can get away with just using the signtool.exe that you have on the windows 10 directory in all version of windows including windows 7. However, there's still another issue (see #584).

[develar]

Fix/resolution postponed — don't expect fix today. (as open source project, I can work only one hour morning :))

[djpereira]

@develar I can work on it and send you a PR if you are fine with it.
I propose that if signcode-tf is asked to sign using SHA256 or multiple algorithms, when the OS is Windows 7, then we display a warning and fallback automatically to just SHA1.
Does that sound good?

[develar]

Does that sound good?

No, I don't believe that dual code sign is not possible on Windows 7. Solution should be found. Or win 7 rejected.

[djpereira]

@develar I understand.

I read this from https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx:

Windows Server 2008 R2 and Windows 7:

If you are using the WinVerifyTrust function to verify multiple embedded signatures or support strong cryptography policy, you must include the following files:
Microsoft.Windows.Build.Signing.wintrust.dll.manifest
Wintrust.dll (downlevel version)

If you want to perform dual signing and make SHA256 catalogs, you must include those files and the following additional files:
Makecat.exe
Makecat.exe.manifest
Microsoft.Windows.Build.Signing.mssign32.dll.manifest
Mssign32.dll (downlevel version)
Signtool.exe
Signtool.exe.manifest

I am going to give it a try and let you know.

[djpereira]

I tried the procedure above, using the files from C:\Program Files (x86)\Windows Kits\8.1\bin\x86, and it worked, for SHA256-only and also for dual signing SHA1/SHA256.

@develar please check develar/signcode#3 for a fix.