Can't execute a specific program via PHP to digitally sign a file


I'm using IIS 6.0 and PHP and I'm trying to write a php script that automates a process to 1) create an installer and 2) digitally sign the installer. I've created a batch file that does each individually. If I go to the server and manually run the batch files, both work perfectly. If I run them via PHP, only the installer is created but it is never digitally signed. I have confirmed that:

  1. All files referenced in the batch files have full rights for the IUSR_[COMPUTER-NAME] user.
  2. It is not an issue with the file not being fully created yet by the first batch file. I can put the already created Setup.exe file in the folder and run only the second batch file via PHP with the same results.
  3. The batch file is actually getting run. I've put a MKDIR command in the same batch file after the digital signing command and the folder is created.

The code I use via PHP to run the batch files is:

system('cmd /c C:\\Inetpub\\createInstallers\\step1.bat');

The create installer batch file looks like this:

"C:\Program Files\Inno Setup 5\ISCC.exe" C:\Inetpub\createInstallers\createInstaller.iss

I'm using Inno Setup to do this found here:

The digital signing batch file looks like this:

"C:\Inetpub\createInstallers\DigiCertUtil.exe" sign /noInput "C:\Inetpub\createInstallers\Setup.exe"

This is done with DigiCertUtil.exe's command line feature explained here:

As far as I can tell, absolutely nothing happens. I don't believe there are any error messages (but I am a little fuzzy on how to check for them). NULL is returned if I run the digital sign command via shell_exec like this:

    $result = shell_exec('"C:\\Inetpub\\createInstaller\\DigiCertUtil.exe" sign /noInput "C:\\Inetpub\\createInstaller\\Setup.exe"');

Does anyone have any idea why this might not be working? Could this be some permissions issue or security limitation?




I found the underlining problem and the answer. The problem was that the certificates are imported in the user's personal store on a per user basis, so when I tried to run the DigiCertUtil program via PHP, it could not find the certificates because the IUSR did not have a personal store with the certificate to use. IUSR is a temporary user and thus does not have a personal store. There might be a way to put the certificate into the machine's store, but I could not find it.

Instead, I used PSExec to run the program locally but with a different user than the IUSR account, like this:

shell_exec('C:\\Inetpub\\createInstallers\\psexec \\\\ -accepteula -u myUser -p myPassword -i cmd.exe /c C:\\Inetpub\\createInstallers\\DigiCertUtil.exe sign /noInput C:\\Inetpub\\createInstallers\\Setup.exe');

No batch files required! It would be just as easy to run a batch file as a different user though with this same methodology.

People are also looking for solutions to the problem: PHP variable not updating in to MYSQl field


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.