- Glenn Scamman
- PowerBuilder
- Wednesday, 11 October 2023 05:53 PM UTC
Hello,
We utilize PB2021 and deploy our application to our customers using PowerClient. We must code-sign our application to avoid warning messages when a customer downloads our application and to help our application from being flagged by antivirus programs. The PowerClient build process worked fine when we could save the code-signing certificate as a .pfx file, store it on the development machine hard drive and configure the PowerClient project to point to the pfx file, and provide the password to unlock/validate/use the certificate. But with new certificate security standards, our new code-signing certificate is on a hardware security module (HSM), i.e. a fancy USB device, and doesn't allow the certificate to be exported to a .pfx file.
I was hoping I could create a code signing script for the "Use your own signing script" option of the PowerClient project, but I've tried many different versions, and none work. No helpful error messages are provided, but my guess is the issue is one or all of these.
- 1. it can't utilize a prompt to enter the certificate password.
- 2. signtool doesn't allow you to script in the password unless you are telling it the cert is in a .pfx file
- 3. The executable to sign doesn't have the proper path (the build process doesn't ever show you where the executable is created before it is then sucked into the installer exe or zip file.
The normal suggested workaround for signing issues is to just sign the executable after the build process is complete. But with PowerClient, this is very tricky and might not even be possible? The project either produces an installer exe, or a zip file where the executable is inside the archive, but itself has a .zip extension and cannot be extracted. Some sort of encryption? It does this even if you configure the project to not encrypt the p-code files. All the files on the webserver after running the installer are typically compressed and encrypted.
Is it possible to get a version of the application executable in a non-compressed, non-encrypted form so that it can be signed (from the command line, which does work), and then moved back out to the deployment server, presumably after having to encrypt or compress again?
Hoping there is a solution to this critical issue.
Thanks, Glenn
Find Questions by Tag
Helpful?
If a reply or comment is helpful for you, please don’t hesitate to click the Helpful button. This action is further confirmation of their invaluable contribution to the Appeon Community.