16 Replies Latest reply: Apr 9, 2012 1:46 PM by saoudi RSS

    VeriSign

    Xposure Interactive Community Member

      Has anyone any experience with VeriSign for Dir11 projectors? I need to sign my projector to get rid of the 'trust' messages that occur on XP sp2 and vista.

       

      I have had no response from VeriSign themselves.

        • 1. Re: VeriSign
          Chunick Community Member

          If signing the projector with the certificate was part of the publishing process, then it could work, but as it stands, there is no entry point in the publishing process to sign the projector. It cannot be done after the publishing process... I went throught this when building my RiEditor utility that allows Director developers to replace the icon and file/version information that shows up in Windows when viewing the Details or mousing over in Vista.


          During the publishing process, the projec32.skl file is used (it's really a bare-bones exe that when run on it's own looks for an .ini of the same name that contains a list of movies (.dir files) to play). Hence the error:

          ---------------------------
          Director Player Error
          ---------------------------
          Unable to load movie playlist. Does the .INI file exist? It must contain a section '[Movies]' with an entry 'Movie01=Pathname.dir'.

           

          Most processes that modify the projector such as a resource editor, utilities to replace the file/version information, signing certificate sol'ns - rip off the data from the end and leave you with essentially just projec32.skl file again... Director's compilation process does not produce a typical executable.

           

          The .dir you're publishing is compiled and appended to the end of the .skl file and some sort of offset or value is set somewhere telling the resulting .exe where the start of the info is when you double-click the projector to run it. I've looked at the file using a hex editor while building my RiEditor to deduce most of this information because some of what my RiEditor does is allow you to edit a projector, which means it rips off the data that's appended to the skl file (resulting in a perfect copy of the .skl file as mentioned above), writes some info to the .skl such as icon and version info and appends the code/asset data that was previously ripped off (of course, I saved it earlier in the process)...

           

          Anyways, that's probably more insight into how a projector is built than you wanted to know, but that's the real meat of it. I would like to get my hands on a signing certificate and the process to add it to an .exe to see what's going on... maybe I could build another utility that could sign projectors...do you know of any free methods?

          • 2. Re: VeriSign
            Chunick Community Member

            btw, it's interesting and easy to test the whole .skl and .ini error thing:

             

            1. Locate the .skl file which would typically be here: C:\Program Files\Macromedia\Director MX 2004

            2. Make a copy of the .skl file and rename it to myproject.exe

            3. Move the .exe somewhere more convenient like your desktop

            4. Get a .dir file and place it on the desktop too. Let's assume the .dir's name is test.dir

            5. Create a new file and name it myproject.ini

            6. Edit the file with notepad and add this line:

            [Movies]

            Movie01=test.dir

            7. Save the .ini and launch myproject.exe

             

            It will load the test.dir file... This might be how you can get away with signing; with a setup such as this, you sign the myproject.exe... and you just use this stub projector method for all your projects.

            • 3. Re: VeriSign
              Xposure Interactive Community Member

              btw, it's interesting and easy to test the whole .skl and .ini error thing:

               

              1. Locate the .skl file which would typically be here: C:\Program Files\Macromedia\Director MX 2004

              2. Make a copy of the .skl file and rename it to myproject.exe

              3. Move the .exe somewhere more convenient like your desktop

              4. Get a .dir file and place it on the desktop too. Let's assume the .dir's name is test.dir

              5. Create a new file and name it myproject.ini

              6. Edit the file with notepad and add this line:

              [Movies]

              Movie01=test.dir

              7. Save the .ini and launch myproject.exe

               

              It will load the test.dir file... This might be how you can get away with signing; with a setup such as this, you sign the myproject.exe... and you just use this stub projector method for all your projects.

               

              Thanks for the info Chunick,

               

              Would I have to distribute my program with the .dir files?

               

              How would include the necessary Xtras?

              • 4. Re: VeriSign
                Chunick Community Member

                I haven't been able to 100% verify the method I mentioned will work to sign your project since the reports I've heard are all second hand and seesaw between you can and you cannot... You will have to add your Xtras in an Xtras folder in the same directory as your project files. Apparenly, if you're distributing for mac upper/lower case for the word 'xtras' is important... it's either all upper or all lower case (cannot remember)... other than that, you would use the basic file setup as I've outlined.

                 

                btw, if you give this a go then post here whether you were successful or not in signing the renamed projec32.skl file...

                 

                oh, and if you need to modify the icon in it before signing then you can use my Icon Resource - old version found here: http://collab.directorforum.com/Resource_and_Icon_Editor

                 

                you can try the new version if you also want to change the resource info too, but I haven't tested it on just the .skl file... only a published executable.

                • 5. Re: VeriSign
                  Xposure Interactive Community Member

                  I haven't been able to 100% verify the method I mentioned will work to sign your project since the reports I've heard are all second hand and seesaw between you can and you cannot... You will have to add your Xtras in an Xtras folder in the same directory as your project files. Apparenly, if you're distributing for mac upper/lower case for the word 'xtras' is important... it's either all upper or all lower case (cannot remember)... other than that, you would use the basic file setup as I've outlined.

                   

                  btw, if you give this a go then post here whether you were successful or not in signing the renamed projec32.skl file...

                   

                  oh, and if you need to modify the icon in it before signing then you can use my Icon Resource - old version found here: http://collab.directorforum.com/Resource_and_Icon_Editor

                   

                  you can try the new version if you also want to change the resource info too, but I haven't tested it on just the .skl file... only a published executable.

                   

                  I've created the stub and it seems to work fine. Is there any way round issuing my application with the .dir files?

                  • 6. Re: VeriSign
                    Mike Blaustein Community Member

                    You should be able to save your movies as either dcr or dxr and it should still work.  Theoretically.

                    • 7. Re: VeriSign
                      Chunick Community Member

                      great to hear it worked... could you do me a favour and try renaming yor signed file back to projec32.skl, make a copy of the original in the Director folder and then replace the original with your signed projec32.skl and then try to publish a project... I wonder if that will work?

                      • 8. Re: VeriSign
                        Xposure Interactive Community Member
                        great to hear it worked... could you do me a favour and try renaming yor signed file back to projec32.skl, make a copy of the original in the Director folder and then replace the original with your signed projec32.skl and then try to publish a project... I wonder if that will work?

                        Absolutely. I just need to work out how to get it signed without paying someone like VeriSign for something that might not work.

                         

                        I'll post any outcomes here as soon as get any.

                        • 9. Re: VeriSign
                          Xposure Interactive Community Member

                          Update:

                           

                          I followed http://www.tech-pro.net/code-signing-for-developers.html and created a test certificate, signed the myapp.exe which was formerly the .skl and it runs o.k. I'll test it on some other machines this evening and see if rids me of the security messages.

                          • 10. Re: VeriSign
                            Xposure Interactive Community Member

                            Update:

                             

                            I renamed the stub exe back to Projec32.skl, put it back into the Dir11 folder and published a new projector. The projector published o.k. but the resulting exe was not signed.

                            • 11. Re: VeriSign
                              Chunick Community Member

                              Re: Update

                               

                              Thanks for the link. I used it, but then ran into a problem with signing so I did some more searching and found another link that also had a great walkthrough for personal signing: http://social.msdn.microsoft.com/forums/en-US/windowssecurity/thread/c5ef1ce3-a77d-4de9-82 fb-c64ce1097345/

                               

                              Here are the steps by alexk59 (for anyone searching this in the future):

                               

                              Now I am documenting the complete list of commands and steps required to create and install code signing certificate. It WORKS. I used makecert and other tools included in Vista SDK (makecert.exe has file version 6.0.6000.16384, located in C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin\), but I think all steps also should work with the same tools included in Visual Studio 2005.

                              How to create and use code signing certificate on Vista computer (for testing purposes).

                              1.      Create self-signed root certificate (MyRootCA), use “MYPASSWORD1” as a password (you will type it 3 times).

                              makecert -n "CN=MyName Software Root Certificate Authority" -r -a sha1 -sv MyRootCA.pvk MyRootCA.cer -sr LocalMachine -ss MyName -sky signature

                              2.      Create child certificate (MyCodeSigningCA) for code signing, create “MYPASSWORD2” as password for new certificate and when you are asked for Issuer Signature, type “MYPASSWORD1”.

                              makecert -sv MyCodeSigningCA.pvk -iv MyRootCA.pvk -n "CN=MyName Software Code Signing CA" -ic MyRootCA.cer MyCodeSigningCA.cer

                              3.      Create PFX key (use the password “MYPASSWORD2”).

                              pvk2pfx.exe -pvk MyCodeSigningCA.pvk -spc MyCodeSigningCA.cer -pfx MyCodeSigningCA.pfx -po MYPASSWORD2

                              4.      Optional step.

                              cert2spc.exe MyCodeSigningCA.cer MyCodeSigningCA.spc

                              5.      Use your PFX key to sign Test1.exe program.

                              signtool sign /f MyCodeSigningCA.pfx /p MYPASSWORD2 /v /t http://timestamp.verisign.com/scripts/timestamp.dll Test1.exe

                              6.      Install MyRootCA.cer  root certificate on Vista computer to LOCAL MACHINE store using Certificates MMC snap-in:

                               

                              a)      Run MMC.EXE on Vista computer (Start, Start Search, type mmc.exe, press Enter). MMC console window appears.

                              b)      Choose “File”, “Add/Remove Snap-in” menu command,  the list of snap-ins appears, choose Certificates, choose Add command. The “Certificates snap-in” dialog appears, choose [x]”Computer account” radio button.  “Select computer” dialog appears, choose “Local computer”.

                              c)      The “Certificates (Local computer)” snap-in node appears in MMC left window.

                              Select “Certificates (Local computer)”-“Trusted Root Certification Authorities” – “Certificates” node.

                              Choose “All Tasks” – “Import…” context menu command on “Certificates” node.

                              d)      Import your MyRootCA.cer certificate.

                              “MyName Software Root Certificate Authority” will appear in the Trusted Root Certification Authorities certificates list, in “Issued To” and “Issued By” columns.

                              e)      Close MMC.

                               

                              Run Test1.exe. Vista should detect the publisher of this EXE file as “MyName Software Code Signing CA”.

                               

                               

                              So, I found that the signing process added 2794 bytes to my executable. That got me thinking that maybe if I could then cut that amount from the resource part of the .exe (projec32.skl file which is the first 81920 bytes) where it wasn't needed I could have the same sized file. There's some padding at the end of the projec32.skl file for both D10 and D11.5, but not enough. So, I padded it with some more 0 bytes and then threw it back into my Director folder... published again and the published test.exe file worked fine, as I knew it would because the offset to the data that was compiled was calculated properly during publishing. Next, I proceeded to sign a copy of the test.exe file that I renamed test1.exe... then, I signed test1.exe and that process worked, but as expected, it broke the executable and I was getting the message we've all seen... lastly, since the signing process seems to write to the resource part of the exe (the projec32.skl part of the exe) I used D11.5's fileIO and bytearray to seek to position 81920 and cut out the extra 2794 bytes of padding that I had added within the resource. Not only would this have broken the digital signature - which I didn't realize at the time - it seemed to also break the executable to the point that it now was not recognized as a legit win32 executable... of course, it was very late so I probably didn't take some aspect of it into consideration or messed something up with the new bytearray methods since they're a bit unfamiliar... but, in the end, as I've mentioned, it probably will break the singing, even if I can get the exe to work again... So, in the end, the signing process would need to be included by Adobe into the publishing process so that they could change that elusive offset value in order for the exe to not break.

                              • 12. Re: VeriSign
                                Xposure Interactive Community Member

                                Chunick,

                                 

                                Now I am satisfied that I can code sign the stub I have purchased a certificate from Comodo. I shall confirm that this works when they finish looking into my company and provide me with the certificate.

                                 

                                The test certificate I created doesn't, of course, get rid of the security messages from Vista as the certificate I created is not from Comodo, Verisign or Thwarte.

                                • 13. Re: VeriSign
                                  Xposure Interactive Community Member

                                  The codesigning seems to work well however...... I have stumbled on a new problem.

                                   

                                  While testing my stub projector on a new machine I have come accross the 'This application requires Shockwave Player 11, which can not be found. Click on OK to download it' application error. With the stub projector does the user need the shockwave player? Is there any way round this?

                                   

                                  BTW this problem occured on stub projectors signed and unsigned.

                                  • 14. Re: VeriSign
                                    Chunick Community Member

                                    because you're making a stub projector that's running a .dir or protected .dxr file, you need to include the .dll's found in the Director installation folder. Here's the info:

                                     

                                    In D10, the DLL's are:
                                    dirapi.dll
                                    iml32.dll
                                    msvcrt.dll
                                    proj.dll
                                    projctrc.dll
                                    projec32.skl -- of course, you won't need this file.

                                    In D11, there are two additional DLL's:
                                    msvcp71.dll
                                    msvcr71.dll

                                     

                                    That should do the trick.

                                    • 15. Re: VeriSign
                                      Xposure Interactive Community Member

                                      I have codeSigned my .exe but windows 7 still displays the user account control message 'Do yo want to allow the following program to make changes to this computer?'.

                                       

                                      I went to the trouble of buying a certificate from comodo and codeSigning my application to avoid the trust message in vista but it appears that (as well as getting rid of autorun.inf for usb delivery) windows is out to get me and my product.

                                       

                                      Anyone any ideas of how to get rid of this message or anything I may have done wrong?

                                      • 16. Re: VeriSign
                                        saoudi Community Member

                                        just curious, what did you name your .exe?