Page 1 of 1

Problem with digital signature

Posted: Tue Mar 29, 2016 7:14 am
by Han312
If I compile my project without MadExcept then I can sign my executable.
But if I decide to enable MadExcept then I am unable to sign the exe.

Signtool tells me
SignTool Error: SignedCode::Sign returned error: 0x800700C1
%1 ist keine zulassige Win32-Anwendung.
SignTool Error: An error occurred while attempting to sign: test.exe
I tried to sign the file in a Windows 10 VM , it fails also with Windows 7.
Test.exe is a 32-bit application
MadExcept 4.0.14 (same problem with 4.0.13)

Re: Problem with digital signature

Posted: Tue Mar 29, 2016 7:50 am
by madshi
Weird. Can you please disable madExcept, then recompile, then send me (madshi (at) gmail (dot) com) your EXE file, your MAP file and your MES file? I'll try to reproduce the problem on my PC then.

Re: Problem with digital signature

Posted: Tue Mar 29, 2016 8:36 am
by Han312
Mail is out.

It looks so whether the problem depends on the Delphi version.
The problem appears with Delphi XE8 but not with XE2

Re: Problem with digital signature

Posted: Tue Mar 29, 2016 8:37 am
by Han312
SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [xxx]:
552-5.7.0 This message was blocked because its content presents a potential
552-5.7.0 security issue. Please visit
552-5.7.0 https://support.google.com/mail/answer/6590 to review our message
552 5.7.0 content and attachment content guidelines. hu9si32980061wjb.54 - gsmtp
omg

Re: Problem with digital signature

Posted: Tue Mar 29, 2016 9:37 am
by Han312
I found now what caused this problem.
I will examine it more and then answer here again.

Re: Problem with digital signature

Posted: Tue Mar 29, 2016 10:15 am
by Han312
I sign most of my exe and dlls using a batch file:
sign.bat test.exe
This is done in many cases by default when I create the files.
I use in the project options the post build events for that (sign.bat is located in the source-folder):

Code: Select all

cd "q:\Inno Setup\Source\"
q:
sign.bat "$(OutputPath)"
This works fine - as long MadExcept is disabled.
If it is enabled then the signing process is never successful.

BUT:
If I empty the post build events then I can sign the application later manually also when MadExcept was enabled.
On another computer (other software developer) the signing in the post build works fine (with MadExcept enabled)!

So something weird seems to happen in the post build process on my computer.
I tried already to switch off the AV - but it did not help.

Re: Problem with digital signature

Posted: Fri Apr 01, 2016 11:52 pm
by madshi
That's pretty bad. If it's a timing issue then I don't really know how to solve it. Well, I suppose in the batch file you could check the error code, and if signtool fails, maybe wait a couple hundred milliseconds and then simply try again?

Re: Problem with digital signature

Posted: Wed Apr 06, 2016 7:36 am
by Han312
I tried to add a TimeOut into the batch - but it didn't change anything.
Since I was testing now another (larger) project I realised that madexcept didn't seem to be added to the exe when the post puild batch was active:

size of the exe:
- compiled with post build batch & without madexcept : 16,4 MB
- compiled without post build batch & with madexcept : 17,0 MB
- compiled with post build batch & with madexcept : 16,4 MB

This tells me, that neither the signing nor adding madexcept was successful.

If I change in the post build the 'cancel if error appears' from true to false then I get an error code of 9009 (from post build event)
And this would mean file not found.
Do madexcept & my batch messing up each other?

I replaced the CD and used full pathname. Now I get again a 17,0 MB exe - but not signed. And the file cannot to be signed as in the first post reported.

Re: Problem with digital signature

Posted: Wed Apr 06, 2016 8:41 am
by Han312
I was checking now the errorlevel in my batch file.
The signing seems to work - only Madexcept seems to corrupt it afterwards.
The reasons why I think so are
a) in my batch errorlevel 1 of Signtool is false
b) if i exit my batch with an exitcode != 0 (for instance exit /b 123) then my exe is signed and madexcept does not touch the exe anymore. (I get a 16.4 MB file)

Should I send you again the EXE, MAP and MES?
(the exe which was created when I set the exitcode of the batchfile to 123 )

Re: Problem with digital signature

Posted: Wed Apr 06, 2016 10:23 am
by madshi
Oh, madExcept patching needs to be applied first. Only afterwards the EXE can be signed. Try disabling madExcept, then add a call to "madExceptPatch" (with appropriate parameters) to your post build event, before you call signtool. That might fix the problem.

Re: Problem with digital signature

Posted: Wed Apr 06, 2016 10:54 am
by Han312
Disabling madExcept and calling madExceptPatch & signtool manually in the post build is working now.

And only now I found that the problem is know already for a while
http://www.delphipraxis.net/177196-sign ... build.html
This could have saved me some time.

What do you mean with appropriate parameters? Only the MES-file? Or is there still more?
Here viewtopic.php?f=4&t=27532#p48152 is /dontCheckRtl mentioned but I cannot find more information.

In the help http://help.madshi.net/madExceptFaq.htm you mention the parameter -gd.
Do I have to add it when I compile within the IDE (also when madexcept is disabled)? The MAP file seems to be created all the time.

And do I have to set the compiler directives madExcept if I use madExceptPatch? It will be removed when I disabled madExcept.

Re: Problem with digital signature

Posted: Wed Apr 06, 2016 12:13 pm
by madshi
Well, I'm sorry that it took us so long to get the bottom of this, but your original post complained about signtool throwing out errors, which is completely different from what you've reported now. Because of that I thought it was a different problem than the one in the forum link you now posted.

Anyway, to answer your questions: The name of the EXE file should suffice, if you run the tool with the "current directory" set to your exe folder. Or the EXE file path+name, otherwise. madExceptPatch.exe should then automatically find the mes and map files, if they have the same name and are stored in the same folder. Otherwise you need to provide the names and paths of those files manually.

If you at one point compiled your project in the IDE with madExcept enabled, then madExcept should already have set up all project settings correctly. So no need to worry about that. The "-gd" switch is for using the Delphi command line compiler, which you're not doing.

You will want to do this:

1) Enable madExcept.
2) Compile in the IDE.
3) Add the comment "// dontTouchUses" before the "uses" clause in your dpr file.
4) Now disable madExcept.

The comment will tell madExcept to not change the uses clause at all. That's important so that madExcept etc are not removed from the uses clause when you disable madExcept.

I'm not sure right now if the "// dontTouchUses" clause also stops madExcept from removing the "madExcept" conditional define. Probably not. In that case, if you use that define, you have to either manually define it yourself by using code, or you could add a different project wide define in the project options (e.g. "madExcept2") and then use that instead of "madExcept".

I wish there was a better way doing this, but really it's weird that the IDE calls the post build script before executing the IDE wizards. That seems like the wrong order to me. I don't think there's any way for me to make the IDE swap that order.

Re: Problem with digital signature

Posted: Wed Apr 06, 2016 12:37 pm
by Han312
It's okay. I googled for the problem already for a while and only with the right keyword I found that link.
I think that at the beginning nobody thought that the post build events caused these problems.
I wanted to dual-sign on a Win 8/10 computer and got that error message.

My output folders are not the same as the dpr (I have different output folders for 32- and 64-bit) - so I have to add the MES-file as parameter.
But this has also some advantages - I can add now different MES-settings for debug and release mode. Or is there an easier way to enable memory leak reporting only for debug mode?


I don't use the "madExcept" nor the 'LeakChecking" conditional defines. I thought they were necessary for madexcept to work. So I don't have to worry whether these conditions are set or not?!

Re: Problem with digital signature

Posted: Wed Apr 06, 2016 1:00 pm
by madshi
You can leave leak reporting enabled at all times. As long as you don't distribute the "madExcept32.dll" file, leak reporting will automatically be disabled on your end users' PCs. That's because all the leak checking code is in that dll. If you want to disable leak reporting on your development PC, too, you'll have no other choice than to recompile it with leak reporting disabled, though, because madExcept is clever enough to find the dll in the madCollection installation folder.

The conditional defines are only there for your comfort, so you can add code which is only used if madExcept is enabled. madExcept itself does not need those defines.