Can't execute a specific program via PHP to digitally sign a file
I'm using IIS 6.0 and PHP and I'm trying to write a php script that automates a process to 1) create an installer and 2) digitally sign the installer. I've created a batch file that does each individually. If I go to the server and manually run the batch files, both work perfectly. If I run them via PHP, only the installer is created but it is never digitally signed. I have confirmed that:
- All files referenced in the batch files have full rights for the IUSR_[COMPUTER-NAME] user.
- It is not an issue with the file not being fully created yet by the first batch file. I can put the already created Setup.exe file in the folder and run only the second batch file via PHP with the same results.
- The batch file is actually getting run. I've put a MKDIR command in the same batch file after the digital signing command and the folder is created.
The code I use via PHP to run the batch files is:
system('cmd /c C:\\Inetpub\\createInstallers\\step1.bat');
The create installer batch file looks like this:
"C:\Program Files\Inno Setup 5\ISCC.exe" C:\Inetpub\createInstallers\createInstaller.iss
I'm using Inno Setup to do this found here: http://www.jrsoftware.org/isinfo.php
The digital signing batch file looks like this:
"C:\Inetpub\createInstallers\DigiCertUtil.exe" sign /noInput "C:\Inetpub\createInstallers\Setup.exe"
This is done with DigiCertUtil.exe's command line feature explained here:
As far as I can tell, absolutely nothing happens. I don't believe there are any error messages (but I am a little fuzzy on how to check for them). NULL is returned if I run the digital sign command via shell_exec like this:
$result = shell_exec('"C:\\Inetpub\\createInstaller\\DigiCertUtil.exe" sign /noInput "C:\\Inetpub\\createInstaller\\Setup.exe"'); var_dump($result);
Does anyone have any idea why this might not be working? Could this be some permissions issue or security limitation?
I found the underlining problem and the answer. The problem was that the certificates are imported in the user's personal store on a per user basis, so when I tried to run the DigiCertUtil program via PHP, it could not find the certificates because the IUSR did not have a personal store with the certificate to use. IUSR is a temporary user and thus does not have a personal store. There might be a way to put the certificate into the machine's store, but I could not find it.
Instead, I used PSExec to run the program locally but with a different user than the IUSR account, like this:
No batch files required! It would be just as easy to run a batch file as a different user though with this same methodology.