Advanced Installer can digitally sign all of the following files that it creates: EXE, MSI, MSP (patches) and CAB files. The EXE, MSI and MSP files are always signed while the CAB files are signed only if they are not embedded in the MSI.

You also have the possibility to individually sign each file from your package by enabling this option in the File Properties, Files and Folders view.

Enable signing

Checking this checkbox will enable the actual signing of the package.

Reset All

This button can be used to clear all fields.

Software Publisher Certificate

Use the most suited certificate from system store

When this option is selected "SignTool.exe" will sign the files with the best certificate found in the system certificates store.

Use a selected certificate from system store

By selecting this option you will be prompted to choose one of the currently installed certificates.

Thumbprint

The Thumbprint read-only field allows you to see what certificate has been chosen from the store:

  • The Thumbprint or certificate hash uniquely identifies a certificate, however it's not easy to read or memorize. It represents the hexadecimal string that contains the SHA-1 hash of the certificate.
  • Hovering the field will reveal the certificate subject, issuer and validity period. This information is not as accurate as the thumbprint itself but it's easier to read or memorize.

You can use the [ ... ] helper button to select a certificate file from which to extract the thumbprint.

NoteThe Thumbprint property can be previewed in the details of the certificate from Select Certificate Dialog.

Use file from disk

When this option is selected the certificate used to sign the files is loaded from a local disk file. Everytime you select this option, you will be prompted to select the path to the certificate from the hard-drive. Advanced Installer will automatically use the appropriate tool depending on the chosen file types. If the the tools' locations are not known to Advanced Installer, you will have to locate them on your system using the External Tools dialog box from the “Options > External Tools...” menu.

Certificate

This field contains the path on disk to the certificate. You can use the [ ... ] button in this field to select one from your hard-drive.

NoteIf SignTool is used and the PFX file is protected with a password, the “Selected certificate requires password. Select how to transmit it to signing tool:” section will be visible. However, if SignCode is used to sign the installation files this section will not be visible regardless whether the PVK file is password-protected or not( because SignCode does not receive the password as a command-line argument ).

Private Key

In this field you can set the “Private Key”. You can use the [ ... ] button to select one from your hard-drive.

NoteThis field is available only for the SignCode utility.

Enter password each time project is built

You will be prompted to enter the password when the MSI is built.

NoteAdvanced Installer caches the password for PFX files( because SignTool receives this password as a command-line argument ) and hence you will be prompted for the password only once. On the other hand, if SignCode is used and the PVK file is protected with a password, at build time the SignCode tool( not Advanced Installer ) will prompt you for a valid password. If multiple files need to be signed, the SignCode tool will be invoked several times and there will be multiple password prompts. If this is inconvenient, you can use either pvkimprt or pvk2pfx to create a PFX certificate from the SPC and PVK files, such that SignTool may be used.

  • pvkimprt can be downloaded from this page. Following the link from the page will download an .EXE archive containing the pvkimprt installation setup. To install, first extract the setup and then run the installation from the extract location.
  • pvk2pfx is available as part of the Platform SDK.
Store encrypted password in project file

The encrypted password will be stored in the project and used at build time to sign the installation files. This option is useful for unattended builds.

Password

The password for the PFX certificate.

Confirm password

Confirm the PFX certificate password.

Signature Properties

Description

This field contains the signed content's description. It will be showed by the Windows UAC after you click the "Install" button.

Description URL

This field contains an URL for a complete description of the signed content. The URL will be used when the package is launched from an untrusted location (for example from the network) in the "Open File - Security Warning" dialog, where the "Name" field will become a link to the URL you specified.

Time Stamp URL

A digital certificate has a validity period. After that period expires the signed code is not considered certified anymore. To prevent that a Time Stamp can be placed at the signing time which will show that the certificate was valid when the signing was done.

The “Time Stamp URL” specifies the URL of the time stamp server. This URL points to a DLL located on a server that is used for this purpose. An example of such a server (provided in MSDN) is:
http://timestamp.verisign.com/scripts/timstamp.dll.

Enable installing of patches for this product without elevation

By enabling this option you don't need elevated privileges when applying the patch if the following conditions are met:

  • Both patch and target MSI are signed using the same certificate
  • The installation is performed on Windows XP SP2 or above (the initial installation was performed from a removable media: CD, DVD etc)

TipAn administrator can disable least-privilege patching on the computer by setting the DisableLUAPatching policy to 1. You can set the MSIDISABLELUAPATCHING property to 1 during the initial installation of an application to prevent least-privilege patching for that application only.

NoteThis option is not available for Patch Projects.

Signing utilities

DigiSign.exe

This is the default signing tool that comes with Advanced Installer. It can be changed from External Tools Options. More information about this tool and its usage can be found in our DigiSign Tool article.

SignTool.exe

This tool uses a single PFX file for signing the package.

SignCode.exe

This tool uses two files for signing: a PVK and a SPC.

NoteTo view or manage certificates inside the system store, you can use certmgr.msc tool.

Topics