Hello,
We are signing our program with a EV code signing certificate from DigiCert. This certificate lives on a different server from where the AI build runs. I have 2 questions:
First, I am wondering if the following scenario will produce any issues: After I finish my Visual Studio build, I transfer all my files I want signed to the other server where the cert lives, then sign them and move them back before I run my AI build. Then after the AI build finishes, copy over the installer to the other server and sign the installer exe. Am I correct in assuming this will not cause issues?
My second question, is that I am worried that doing this signing manually will result in the updater.exe not being signed, and therefore when users get an update, they will get the yellow untrusted windows UAC prompt. Is that correct? If so, can I simply sign the updater.exe that lives in the AdvancedInstaller program files folder and then it will be packaged in as the signed version?
As always, thanks for all the help.
Suggested Articles
Re: Signing Questions
Hello,
In order to avoid this error, you should add a step in your workflow :
- use a test certificate for signing the package inside Advanced Installer
In this way the signature missmatch between the EXE and the MSI is ignored.
Best regards,
Sorin
In the case of an EXE build with resources inside it, this workflow will cause an error triggered by a signature missmatch between the EXE setup and the MSI contained by it, which it will be unsigned. Please take a look on our article describing this situation : Why do I get the "Unmatching digital signature between EXE bootstraper and MSI database" message?First, I am wondering if the following scenario will produce any issues: After I finish my Visual Studio build, I transfer all my files I want signed to the other server where the cert lives, then sign them and move them back before I run my AI build. Then after the AI build finishes, copy over the installer to the other server and sign the installer exe. Am I correct in assuming this will not cause issues?
In order to avoid this error, you should add a step in your workflow :
- use a test certificate for signing the package inside Advanced Installer
In this way the signature missmatch between the EXE and the MSI is ignored.
Yes, your assumption is correct, the updater.exe will not be signed, but unfortunatelly it cannot be signed externally because this file is modified by Advanced Installer at build time, thus its signature would be invalidated.My second question, is that I am worried that doing this signing manually will result in the updater.exe not being signed, and therefore when users get an update, they will get the yellow untrusted windows UAC prompt. Is that correct? If so, can I simply sign the updater.exe that lives in the AdvancedInstaller program files folder and then it will be packaged in as the signed version?
Best regards,
Sorin