Signtool returns error 0x800700C1 while trying to sign AutoCAD OEM 2023 setup.exe

I have been building AutoCAD OEM based applications for years now. Just recently, I stumbled upon some freak error I have not been able to resolve.

With the AutoCAD OEM platform, the Installer Wizard creates the installer for the (gargantuan) application. The application installer is started (of course) with calling the setup.exe.

With the last AutoCAD OEM versions up until AutoCAD OEM 2022, the signing of the setup.exe has been no problem at all.

Now, with the current AutoCAD OEM 2023 version, I experience that the signing of the setup.exe does not work anymore. When trying to sign the setup.exe, the error 0x800700C1 returns. This is a very generic error message, and googling after this does not bring any helpfull results.

Before signing the setup.exe, I always use the delcert tool (delcert-sign-strip-tool), which always works as intended.

When using this on the current setup.exe, delcert returns an error message:

It seems that delcert succeeded, but when trying to sign the file again, it fails again with the same error message:

Looking with dumpbin on the headers, I noticed that the setup.exe for AutoCAD OEM 2023 is a x64 file:

Whereas the previous versions setup.exe has been an x86 file:

This seems to be a random correlation but may be the source of this problem.

Has anybody experienced a similar problem (not neccessarily in the AutoCAD ecosystem)?

Thanks, Jens

Jens,
I once had a similar issue with that error that even “delcert” did not work on and I ended up using a tool called “CFF Explorer” that is available on Github to find a bad security directory and remove it. I also had to use it on OEM 2022 to isolate an issue with the Security Directory and remove it to sign files. Here is a screenshot of the tool and the area that was bad in OEM 2022:

I do not yet have OEM 2023 to check but it will give you a visual into the exe to see if there is something that stands out.

Hello Shawn,

thanks for your reply.

I just looked at the OEM2023 setup.exe with the CFF Explorer, but there is no obvious error displayed or visible. Even if there would have been, it would just have been an interesting data point. We have a fully automated build pipeline, and having to manually edit the setup.exe with a tool is just breaking the pipeline.

I am hoping for the guys at Autodesk to come up with an solution for this.

Cheers,
-Jens

Jens,
Completely understand.
We will be moving to and updating our automated build process for OEM 2023 in the next month. We will be sure to keep this in mind in case we run into it. If we discover anything helpful we will be sure to pass it on. If you discover anything before that that may help let us know.
Thanks,
Shawn

Jens,
We were able to automate our workflow around this issue in OEM 2023 until they come up with a solution.
We did the following:

1. After the OEM Install Wizard was complete we removed the “Security Directory RVA” from the Setup.exe using CFF Explorer. You can refer to our previous comment and picture above to show the area.
2. We then were able to sign the Setup.exe
3. Rather than doing a manual process each time we chose to use the above corrected and signed Setup.exe as a base that we copy and overwrite the setup.exe each time we build an installer.

This works for us because our setup does not require that the setup.exe be changed very often, if at all. Setup.exe mainly points everything to the installer. All the essential heavy lifting occurs after setup.exe is ran.
As you already noted, delcert.exe does not work with OEM 2023 Setup.exe and we ran into additional issues when we tried it. It stripped out the ICO information and removed the Run As Admin that Autodesk requires on its setup.exe’s. This did not happen in previous OEM’s and delcert.exe is still a safe option to use to sign OEM 2022 and older.
Hope this may help anyone running into this.
Shawn Golden
Microvellum