BlogThe MSIx Experts Crib
RSS

Table of Contents

About
Advanced Installer helps you create powerful and reliable MSI, App-V & MSIX packages. Upgraded every month by our team, since 2003.

“EXE and MSI file signature mismatch” Warning and Solving

Written by Alex Marin · March 10th, 2026 · 4min read

Digital signatures have grown in popularity and acceptance in the industry and are now required in some cases, such as with MSIX packages. This ensures that the software delivered is secure and trustworthy.

When building installers with Advanced Installer, developers may encounter the warning “EXE and MSI file signature mismatch."

Although the message appears alarming, the underlying causes are preventable once you understand how this process works.

Why Do Signature Mismatches Occur? Copy link to this sectionLink to this section copied!

When you sign your package with Advanced Installer by using the Digital Signature page, you must follow strict staging rules.

The internal process of digital signature for embedded MSIs is:

  1. Build the MSI
  2. Sign the MSI
  3. Build the bootstrapper EXE (the one with the signed MSI)
  4. Sign the EXE
Digital Signature page in Advanced Installer

This ensures that the error does not appear. However, if any of these steps is interrupted, modified, or influenced in any way, then you are likely to receive the error.

The following situations may result in the mismatch error:

  1. If the MSI and EXE are signed using different certificates outside of the Digital Signature page, Windows will detect a mismatch in the trust chain
  2. If the MSI is modified after signing, the signature becomes invalid. This can happen when post-build scripts change the MSI, transforms (MSTs) are applied, the CAB files are recompressed, or custom actions inject files during the build process. Even a one-byte modification breaks the signature
  3. In the CI/CD pipelines, the bootstrapper EXE is typically signed once by Advanced Installer and then again by the pipeline’s signing step. Double signing alters the file and causes a mismatch with the MSI signature
  4. If the MSI uses one timestamp server and the EXE uses another, or if one timestamp fails and returns to a different certificate chain, the signatures no longer match
  5. If the MSI is signed but the EXE fails to sign due to an expired certificate, or you are not online and the offline token has expired, or you enter an incorrect password, Advanced Installer may still complete the build. However, the package will contain a signed MSI and an unsigned EXE.
exe and msi file signature mismatch

NoteWe also have an FAQ for this issue: Why do I get the 'Unmatching digital signature between EXE bootstraper and MSI database' message?

As previously stated, the most reliable way to make sure that we have matching signatures is to let Advanced Installer handle the entire signing workflow for both the MSI and EXE files in the correct order presented above.

When you configure signing through Digital Signature > Files configured for Signing tab, sign both MSI and EXE:

Files configured for Signing tab

Advanced Installer will automatically follow the sequence as long as the same certificate is used, the same timestamp server is configured, no external tools re-sign or modify the files, and no post-build steps alter the MSI. This ensures that the signatures will always match.

Final TakeawaysCopy link to this sectionLink to this section copied!

  • When building installers with Advanced Installer, developers may see the warning "EXE and MSI file signature mismatch."
  • The internal process of digital signature for embedded MSIs is to build the MS, sign the MSI, build the bootstrapper EXE (with the signed MSI), and sign the EXE.
  • In signing EXE and MSI files, Windows detects trust chain mismatches if they are signed with different certificates. Modifications to the MSI post-signing render the signature invalid, including changes from scripts or transformations. In CI/CD processes, double signing the bootstrapper EXE can cause mismatches due to file changes.
  • Additionally, using different timestamp servers or failure to sign the EXE due to issues like expired certificates may lead to an unsigned EXE accompanying a signed MSI.
  • Advanced Installer handles the entire signing workflow for both MSI and EXE files in the correct order as shown above.
  • When you configure signing through Digital Signature > Files configured for Signing tab, sign both MSI and EXE.

ConclusionCopy link to this sectionLink to this section copied!

Signature mismatches occur when the MSI and EXE no longer share the same signing chain, which is usually caused by external modifications or inconsistent signing steps.

Allowing Advanced Installer to perform the entire signing process ensures that the installer is clean, consistent, and trusted every time.

ImportantExperience Advanced Installer's digital signing capabilities firsthand with its 30-day free full-feature trial.Start Free Trial

Written by
See author's page
Alex Marin

Application Packaging and SCCM Deployments specialist, solutions finder, Technical Writer at Advanced Installer.

Comments: