How to Add a Digital Certificate to a SingleImage Install Shield Installation Program
Asked Answered
A

2

13

I have an installation program created using the limited version of Install Shield within Visual Studio 2012.

I have a digital certificate that I want to add to the installation program.

I'd like to use the SingleImage feature of Install Shield to create and deliver a single installation file (e.g. setup.exe) to my customers. It seems, however, that I must attach the digital certificate to an msi file, which is embedded within setup.exe, by Install Shield.

I have found that placing the digital certificate on setup.exe results in telling the user that the publisher is unknown, when running the installation program. If other words, that does not properly deploy the digital certificate.

Can I get access to the msi file to add the digital certificate to it? If so, how?

Agathy answered 2/2, 2014 at 1:33 Comment(0)
A
27

I going to answer my own question. Since posting my question I found that the limited edition of Install Shield in Visual Studio 2012 can be setup to sign the installation program (if you have a proper digital certificate).

This is found under: Builds/Express/SingleImage. There is a tab named "Signing". Enter the path/filename for the Digital Certificate File, the Certificate Password, and specify which output files you want to sign. Install Shield then signs the installation program upon a build.

My apologies for asking this question too soon. I should have done more research first.

Agathy answered 2/2, 2014 at 3:32 Comment(2)
In InstallShield 2013 LE open the setup project. Under Step 6 "Prepare for Release" double-click Releases. In the resulting window you are presented with the tree-view that contains the Builds/Express/SingleImage node referred to by the answer.Follmer
Be sure to choose to sign both "setup.exe and Windows Installer Package" since you'll still get "unknown publisher" if you only sign setup.exeDirndl
C
1

InstallShield versions prior to IS 2015 do not support SHA-256 certs. So, while Mike's answer is correct, it no longer does you any good without the new IS, because Microsoft requires SHA-256 as of January 1st, 2016.

But... IS let out a little secret a while back about this before they must have known what they were doing. See this thread on the IS forum.

In case they take that down, here's the important part :

"If you need this kind of signature immediately, you can either sign files yourself at a later point, or create a wrapper for signtool.exe that intercepts the command line arguments we pass to \System\signtool.exe and does something else instead."

So as Mike said, you can't simply sign the outer exe, but by replacing their signtool.exe you should be able to sign the inner msi as well.

I'm looking into implementing this work around now. If anyone else tries this, let us know your results.

Cerebellum answered 4/3, 2016 at 15:37 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.