Problem with digital signature

delphi package - automated exception handling
Post Reply
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Problem with digital signature

Post by Han312 »

If I compile my project without MadExcept then I can sign my executable.
But if I decide to enable MadExcept then I am unable to sign the exe.

Signtool tells me
SignTool Error: SignedCode::Sign returned error: 0x800700C1
%1 ist keine zulassige Win32-Anwendung.
SignTool Error: An error occurred while attempting to sign: test.exe
I tried to sign the file in a Windows 10 VM , it fails also with Windows 7.
Test.exe is a 32-bit application
MadExcept 4.0.14 (same problem with 4.0.13)
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with digital signature

Post by madshi »

Weird. Can you please disable madExcept, then recompile, then send me (madshi (at) gmail (dot) com) your EXE file, your MAP file and your MES file? I'll try to reproduce the problem on my PC then.
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Re: Problem with digital signature

Post by Han312 »

Mail is out.

It looks so whether the problem depends on the Delphi version.
The problem appears with Delphi XE8 but not with XE2
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Re: Problem with digital signature

Post by Han312 »

SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [xxx]:
552-5.7.0 This message was blocked because its content presents a potential
552-5.7.0 security issue. Please visit
552-5.7.0 https://support.google.com/mail/answer/6590 to review our message
552 5.7.0 content and attachment content guidelines. hu9si32980061wjb.54 - gsmtp
omg
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Re: Problem with digital signature

Post by Han312 »

I found now what caused this problem.
I will examine it more and then answer here again.
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Re: Problem with digital signature

Post by Han312 »

I sign most of my exe and dlls using a batch file:
sign.bat test.exe
This is done in many cases by default when I create the files.
I use in the project options the post build events for that (sign.bat is located in the source-folder):

Code: Select all

cd "q:\Inno Setup\Source\"
q:
sign.bat "$(OutputPath)"
This works fine - as long MadExcept is disabled.
If it is enabled then the signing process is never successful.

BUT:
If I empty the post build events then I can sign the application later manually also when MadExcept was enabled.
On another computer (other software developer) the signing in the post build works fine (with MadExcept enabled)!

So something weird seems to happen in the post build process on my computer.
I tried already to switch off the AV - but it did not help.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with digital signature

Post by madshi »

That's pretty bad. If it's a timing issue then I don't really know how to solve it. Well, I suppose in the batch file you could check the error code, and if signtool fails, maybe wait a couple hundred milliseconds and then simply try again?
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Re: Problem with digital signature

Post by Han312 »

I tried to add a TimeOut into the batch - but it didn't change anything.
Since I was testing now another (larger) project I realised that madexcept didn't seem to be added to the exe when the post puild batch was active:

size of the exe:
- compiled with post build batch & without madexcept : 16,4 MB
- compiled without post build batch & with madexcept : 17,0 MB
- compiled with post build batch & with madexcept : 16,4 MB

This tells me, that neither the signing nor adding madexcept was successful.

If I change in the post build the 'cancel if error appears' from true to false then I get an error code of 9009 (from post build event)
And this would mean file not found.
Do madexcept & my batch messing up each other?

I replaced the CD and used full pathname. Now I get again a 17,0 MB exe - but not signed. And the file cannot to be signed as in the first post reported.
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Re: Problem with digital signature

Post by Han312 »

I was checking now the errorlevel in my batch file.
The signing seems to work - only Madexcept seems to corrupt it afterwards.
The reasons why I think so are
a) in my batch errorlevel 1 of Signtool is false
b) if i exit my batch with an exitcode != 0 (for instance exit /b 123) then my exe is signed and madexcept does not touch the exe anymore. (I get a 16.4 MB file)

Should I send you again the EXE, MAP and MES?
(the exe which was created when I set the exitcode of the batchfile to 123 )
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with digital signature

Post by madshi »

Oh, madExcept patching needs to be applied first. Only afterwards the EXE can be signed. Try disabling madExcept, then add a call to "madExceptPatch" (with appropriate parameters) to your post build event, before you call signtool. That might fix the problem.
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Re: Problem with digital signature

Post by Han312 »

Disabling madExcept and calling madExceptPatch & signtool manually in the post build is working now.

And only now I found that the problem is know already for a while
http://www.delphipraxis.net/177196-sign ... build.html
This could have saved me some time.

What do you mean with appropriate parameters? Only the MES-file? Or is there still more?
Here viewtopic.php?f=4&t=27532#p48152 is /dontCheckRtl mentioned but I cannot find more information.

In the help http://help.madshi.net/madExceptFaq.htm you mention the parameter -gd.
Do I have to add it when I compile within the IDE (also when madexcept is disabled)? The MAP file seems to be created all the time.

And do I have to set the compiler directives madExcept if I use madExceptPatch? It will be removed when I disabled madExcept.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with digital signature

Post by madshi »

Well, I'm sorry that it took us so long to get the bottom of this, but your original post complained about signtool throwing out errors, which is completely different from what you've reported now. Because of that I thought it was a different problem than the one in the forum link you now posted.

Anyway, to answer your questions: The name of the EXE file should suffice, if you run the tool with the "current directory" set to your exe folder. Or the EXE file path+name, otherwise. madExceptPatch.exe should then automatically find the mes and map files, if they have the same name and are stored in the same folder. Otherwise you need to provide the names and paths of those files manually.

If you at one point compiled your project in the IDE with madExcept enabled, then madExcept should already have set up all project settings correctly. So no need to worry about that. The "-gd" switch is for using the Delphi command line compiler, which you're not doing.

You will want to do this:

1) Enable madExcept.
2) Compile in the IDE.
3) Add the comment "// dontTouchUses" before the "uses" clause in your dpr file.
4) Now disable madExcept.

The comment will tell madExcept to not change the uses clause at all. That's important so that madExcept etc are not removed from the uses clause when you disable madExcept.

I'm not sure right now if the "// dontTouchUses" clause also stops madExcept from removing the "madExcept" conditional define. Probably not. In that case, if you use that define, you have to either manually define it yourself by using code, or you could add a different project wide define in the project options (e.g. "madExcept2") and then use that instead of "madExcept".

I wish there was a better way doing this, but really it's weird that the IDE calls the post build script before executing the IDE wizards. That seems like the wrong order to me. I don't think there's any way for me to make the IDE swap that order.
Han312
Posts: 54
Joined: Mon Mar 14, 2016 3:49 pm

Re: Problem with digital signature

Post by Han312 »

It's okay. I googled for the problem already for a while and only with the right keyword I found that link.
I think that at the beginning nobody thought that the post build events caused these problems.
I wanted to dual-sign on a Win 8/10 computer and got that error message.

My output folders are not the same as the dpr (I have different output folders for 32- and 64-bit) - so I have to add the MES-file as parameter.
But this has also some advantages - I can add now different MES-settings for debug and release mode. Or is there an easier way to enable memory leak reporting only for debug mode?


I don't use the "madExcept" nor the 'LeakChecking" conditional defines. I thought they were necessary for madexcept to work. So I don't have to worry whether these conditions are set or not?!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with digital signature

Post by madshi »

You can leave leak reporting enabled at all times. As long as you don't distribute the "madExcept32.dll" file, leak reporting will automatically be disabled on your end users' PCs. That's because all the leak checking code is in that dll. If you want to disable leak reporting on your development PC, too, you'll have no other choice than to recompile it with leak reporting disabled, though, because madExcept is clever enough to find the dll in the madCollection installation folder.

The conditional defines are only there for your comfort, so you can add code which is only used if madExcept is enabled. madExcept itself does not need those defines.
Post Reply