I would like my installers to be digitally signed when it is created. However the cert/key used to sign installers in my company is controlled and I would not have access to it.
Is it possible to create the installer normally, extract the MSI out, sign it using a separate process and repack it into a EXE? I have got step 1 and 2 down. Step 3 will be our own process and out of the scope of this question. This would be where my manager comes in with the cert/key. I need advice on step 4, if it is possible.
Thanks in advance!
Suggested Articles
-
mihai.petcu
- Posts: 3860
- Joined: Thu Aug 05, 2010 8:01 am
Re: Sign MSI extracted from EXE and repack into EXE
Hello,
You can try to sign the EXE installer with a test certificate at build time by using the Digital Signature page. After this, you can send it to your manager so he can sign the built EXE using the real certificate using any signing tool. Normally, this should work fine.
All the best,
Mihai
You can try to sign the EXE installer with a test certificate at build time by using the Digital Signature page. After this, you can send it to your manager so he can sign the built EXE using the real certificate using any signing tool. Normally, this should work fine.
All the best,
Mihai
Re: Sign MSI extracted from EXE and repack into EXE
Hi Mihai,
Please correct my understanding if it is incorrect. Wouldnt this result in my EXE having a signature signed by a test certificate then have a signature signed by a real certificate on top of it? Or does it replace the test signature with the second signature?
What about the other files in the EXE as shown in the picture above? Will it be signed by the real certificate and have the signature replaced like above? Or will it not be signed at all by the real certificate?
Please correct my understanding if it is incorrect. Wouldnt this result in my EXE having a signature signed by a test certificate then have a signature signed by a real certificate on top of it? Or does it replace the test signature with the second signature?
- Signed Files.PNG (19.57 KiB) Viewed 17588 times
-
mihai.petcu
- Posts: 3860
- Joined: Thu Aug 05, 2010 8:01 am
Re: Sign MSI extracted from EXE and repack into EXE
Hello,
From what I know the last certificate used to sign the EXE will be used to verify the package (in your case that will the correct one from your manager). All other files inside the EXE will be signed using the test certificate.
All the best,
Mihai
From what I know the last certificate used to sign the EXE will be used to verify the package (in your case that will the correct one from your manager). All other files inside the EXE will be signed using the test certificate.
All the best,
Mihai
Re: Sign MSI extracted from EXE and repack into EXE
Hi Mihai,
Understood. One last thing, since you have not shared with me any method to repack the components into an EXE can I safely assume that this is not possible without going through the Advanced Installer application? I mean repack it in a way that the result is absolutely identical to the original unextracted EXE except that it now has signatures.
Understood. One last thing, since you have not shared with me any method to repack the components into an EXE can I safely assume that this is not possible without going through the Advanced Installer application? I mean repack it in a way that the result is absolutely identical to the original unextracted EXE except that it now has signatures.
Re: Sign MSI extracted from EXE and repack into EXE
Hello,
The method my colleague was talking about it supposes not to extract the MSI from the EXE. Therefore you won't have to reassemble anything whenusing this method. Just try to sign the setup package with a test certificate (used in "Digital Signature" page) and then just forward to your manager the built EXE setup package so it can be further signed with your original company certificate.
All the best,
Daniel
The method my colleague was talking about it supposes not to extract the MSI from the EXE. Therefore you won't have to reassemble anything whenusing this method. Just try to sign the setup package with a test certificate (used in "Digital Signature" page) and then just forward to your manager the built EXE setup package so it can be further signed with your original company certificate.
All the best,
Daniel