Advanced Installer has the ability to digitally sign the install files it creates. EXE, MSI, MSP (patches) and CAB files will be signed. EXE, MSI and MSP files are always signed, CAB files are signed only if they are not embedded in MSIs.
Also, you have the possibility to individually sign each file from your package by enabling this option in the File Properties Tab, Files and Folders view.
Signing Options
Software Publisher Certificate
This field allows you to select a "Software Publisher Certificate". You can use the in this field to select one from your hard-drive.
Private Key
In this field you can set the "Private Key".You can use the to select one from your hard-drive.
This field is available only if you are using the SignCode utility.
Checking the "Sign the package" check box will enable the actual signing of the package. The tool used to sign the package can be selected from a drop-down list box. The location of the tool can be specified in the Tools dialog box from the "Options > Tools..." menu.
Time Stamping
A digital certificate has a validity period. After that period expires, the signed code is not considered certified anymore. To prevent that, a Time Stamp can be placed at the signing time, which will show that the certificate was valid when the signing was done.
The "Time Stamp URL" specifies the URL of the time
stamp server. This URL points to a DLL located on a server that is used
for this purpose. An example of such a server (provided in MSDN) is:
http://timestamp.verisign.com/scripts/timstamp.dll.
The button can be used to clear all fields.
Description
This field contains a description of the signed content. This description will be shown by the Vista UAC after you click the "Install" button.
Description URL
This field contains a URL for expanded description of the signed content. The URL will be used when the package is launched from an untrusted location (for example from the network): in the "Open File - Security Warning" dialog, the "Name" becomes a link to the URL you specified.
Enable least-privileged user account patching
By enabling this option you don't need elevated privileges when applying the patch if the following conditions are met:
- Both patch and target MSI are signed using the same certificate
- The installation is performed on Windows Vista or Windows XP SP2 (the initial installation was performed from a removable media: CD, DVD etc)
An administrator can disable least-privilege patching on the computer
by setting the DisableLUAPatching policy to 1. You can set the
MSIDISABLELUAPATCHING property to 1 during the initial installation of
an application to prevent least-privilege patching for that application
only.
This option is not available for Patch Projects.
Signing Tools
The combo box allows you to select from two available tools:
SignTool.exe
This is the default signing tool. It uses for signing a single file of PFX type. If the location of SignTool is not known to Advanced Installer, you will have to locate it on your system.
SignCode.exe
This tool uses two files for signing: a .PVK and a .SPC. When you select this tool from the drop down-list, two consecutive dialogs will be displayed asking you to locate first the SPC and then the PVK file. If the location of SignCode is not known to Advanced Installer then a third dialog will prompt you to locate the SignCode.exe file as well.
Advanced Installer will check to see if Microsoft's Platform SDK is installed
and, if this is the case, will find the location of the required signing
tool, without any intervention from the user.
Certificate Password
If SignTool is used and the PFX file is protected with a password, the "Certificate Password" group will be visible. However, if SignCode is used to sign the installation files this group will not be visible regardless whether the PVK file is password-protected or not (because SignCode does not receive the password as a command-line argument).
Enter password each time project is built
You will be prompted to enter the password when the MSI is built.
Advanced Installer caches the password for PFX files (because SignTool
receives this password as a command-line argument) and hence you will be
prompted for the password only once. On the other hand, if SignCode is
used and the PVK file is protected with a password, at build time the
SignCode tool (not Advanced Installer) will prompt you for a valid password. If
multiple files need to be signed, the SignCode tool will be invoked
several times and there will be multiple password prompts. If this is
unconvenient, you can use either pvkimprt or pvk2pfx to create a PFX
certificate from the SPC and PVK files, such that SignTool may be used.
- pvkimprt can be downloaded from this page.
- pvk2pfx is available as part of the Platform SDK.
Store encrypted password in project file
The encrypted password will be stored in the project and used at build time to sign the installation files. This option is useful for unattended builds.
Password
The password for the PFX certificate.
Confirm password
Confirm the PFX certificate password.
- Introduction
- Using Advanced Installer
- Features and Functionality
- Tutorials, How To's, Q&A
- Windows Installer