Can't execute a specific program via PHP to digitally sign a file -
i'm using iis 6.0 , php , i'm trying write php script automates process 1) create installer , 2) digitally sign installer. i've created batch file each individually. if go server , manually run batch files, both work perfectly. if run them via php, installer created never digitally signed. have confirmed that:
- all files referenced in batch files have full rights iusr_[computer-name] user.
- it not issue file not being created yet first batch file. can put created setup.exe file in folder , run second batch file via php same results.
- the batch file getting run. i've put mkdir command in same batch file after digital signing command , folder created.
the code use via php run batch files is:
system('cmd /c c:\\inetpub\\createinstallers\\step1.bat');
the create installer batch file looks this:
"c:\program files\inno setup 5\iscc.exe" c:\inetpub\createinstallers\createinstaller.iss
i'm using inno setup found here: http://www.jrsoftware.org/isinfo.php
the digital signing batch file looks this:
"c:\inetpub\createinstallers\digicertutil.exe" sign /noinput "c:\inetpub\createinstallers\setup.exe"
this done digicertutil.exe's command line feature explained here:
https://www.digicert.com/util/utility-code-signing-command-line.htm
as far can tell, absolutely nothing happens. don't believe there error messages (but little fuzzy on how check them). null returned if run digital sign command via shell_exec this:
$result = shell_exec('"c:\\inetpub\\createinstaller\\digicertutil.exe" sign /noinput "c:\\inetpub\\createinstaller\\setup.exe"'); var_dump($result);
does have idea why might not working? permissions issue or security limitation?
i found underlining problem , answer. problem certificates imported in user's personal store on per user basis, when tried run digicertutil program via php, not find certificates because iusr did not have personal store certificate use. iusr temporary user , not have personal store. there might way put certificate machine's store, not find it.
instead, used psexec run program locally different user iusr account, this:
shell_exec('c:\\inetpub\\createinstallers\\psexec \\\\127.0.0.1 -accepteula -u myuser -p mypassword -i cmd.exe /c c:\\inetpub\\createinstallers\\digicertutil.exe sign /noinput c:\\inetpub\\createinstallers\\setup.exe');
no batch files required! easy run batch file different user though same methodology.
Comments
Post a Comment