Digital Signature Page - Patch Project

All of the files that Advanced Installer creates can also be digitally signed, including EXE, MSI, MSP (patches), and CAB files. While the EXE, MSI, and MSP files are always signed, the CAB files are only signed if they are not incorporated in the MSI.

Additionally, you may sign each file in your package separately by activating this option in the File Properties Tab, Files and Folders view.

Enable signing

By checking this box, you will be able to sign the package.

Reset All

By pressing this button, you will clear all fields.

Software Publisher Certificate

Use from certificate store

Choose one of the currently installed certificates.

NoteWe detect certificates installed in multiple stores, such as:"Root" ,"CA" , "Trust" , "TrustedPeople" , "TrustedPublisher" , "AuthRoot" , "CertificateAuthority".

<Most suited certificate> - When this option is chosen, "SignTool.exe" will utilize the best certificate available in the current user's Personal certificates store to sign the files.

Command line examples:

signtool sign /a /d <desc.> /t "http://timestamp.entrust.net/TSS/AuthenticodeTS" <file_name>
signtool sign /a /d <desc.> /fd SHA256 /tr "http://timestamp.entrust.net/TSS/RFC3161sha2TS" /td sha256 <file_name>

NoteTo view or manage certificates inside the system store, you can use certmgr.msc tool (Press Windows Key + R, type "certmgr.msc" and press enter).

Use file from disk

Choose this option and, from a local disk, the certificate used to sign the file is loaded. You will be requested to select the path of the certificate from the hard disk each time you pick this option.

Certificate - This field contains the path on disk to the certificate. You can use the [ ... ] button in this field to select one from your hard-drive.

NotePFX certificates are preferred; you may generate a PFX certificate from the SPC and PVK files using either pvkimprt or pvk2pfx. If the PFX file is protected with a password, the “Selected certificate requires password. Select how to transmit it to signing tool:” section will be visible.

  • pvk2pfx is available as part of the Platform SDK.

Private Key - The “Private Key” can be specified in this field. You can choose one from your hard drive by pressing the [ ... ] button. This field will be hidden by default, though, due to the fact that the PFX certificates don't have a separate private key file.

Enter password each time project is built - When the MSI is created, you will be required to fill in the password.

NoteBecause Advanced Installer remembers the password for PFX files, you will only be asked for it once.

Store encrypted password in project file - The encrypted password will be saved in the project and used to sign the installation files throughout the build process.This is a valuable option for unattended builds.

Password - The password for the PFX certificate.

Confirm password - Confirm the PFX certificate password.

Command line examples:

signtool sign /f <my_cert> /d <desc.> /t "http://timestamp.entrust.net/TSS/AuthenticodeTS" <file_name>
signtool sign /f <my_cert> /d <desc.> /fd SHA256 /tr "http://timestamp.entrust.net/TSS/RFC3161sha2TS" /td sha256 <file_name>

NoteIf AI is launched elevated, we are also detecting certificates installed per-machine.

Signature Properties

Description

The description of the signed material is stored in this field. After you click the "Install" button, the Windows UAC will display it.

Description URL

This field contains a URL for a complete description of the signed content. When the package is opened from an untrusted place (for example, the network), the URL will be utilized in the "Open File - Security Warning" dialog box, where the "Name" field will become a link to the URL you supplied.

Timestamp service URL

A digital certificate has a validity period. After that time period has expired, the signed code is no longer deemed certified. To avoid this, a timestamp can be added to the signature time, indicating that the certificate was valid at the moment of the signing.

The “Timestamp service URL” specifies the URL of the timestamp server. An example of such a server is:
https://www.sectigo.com/resource-library/time-stamping-server.

ImportantSignature properties are required to display the exact MSI name on the UAC prompt.

Sign only for modern operating systems, Windows 7 or newer ​(recommended)​

If you enable this option your package will be signed only with SHA256 hashing algorithm.

By default Advanced Installer utilizes the SHA256 hashing method, which Microsoft recommends. It's crucial to note, however, that packages signed using SHA256 will not be recognized by PCs running Windows XP/2003 or Vista/2008.

ImportantThis option can be used only with SHA256 certificates. For SHA1 certificates this option will be ignored and only a SHA1 signature will be added for each file.

Sign for compatibility with all operating systems, including Windows XP/Vista ​(deprecated)​

This option enables Advanced Installer to perform dual signing or to sign only with SHA1 hashing algorithm.

The dual signing procedure conforms to Microsoft guidelines, guaranteeing that your digital signature is visible on all operating platforms, including XP/2003 and Vista/2008.

ImportantDual signing will succeed only if you have a SHA-2 certificate. SHA-1 certificates can only be used in certain scenarios, as explained in this article.

Patching

Enable installing of patches for this product without elevation

If both the patch and the target MSI are signed with the same certificate, you won't be required to have elevated privileges to apply the patch.

TipAn administrator can disable least-privilege patching on the computer by setting the DisableLUAPatching policy to 1. You can set the MSIDISABLELUAPATCHING property to 1 during the initial installation of an application to prevent least-privilege patching for that application only.

NoteThis option is not available for Patch Project.

Files Configured for Signing

When the "Enable signing" option is enabled, a dynamically filled list of the files that will be signed is displayed. Project files and output files are the two categories given.

You may also use the context menu to add, remove, or locate project files. The add/remove context operations simply enable/disable the "Digitally sign the file" option in the project file.

Signing utilities

SignTool.exe

Advanced Installer uses the default tool, which is available with the Windows SDK v8.0 or above. This utility can only be used with certificates that have been exported as PFX files. To construct a PFX certificate from the SPC and PVK files, use either pvkimprt or pvk2pfx.

From External Tools Options page you can choose which tool to be used, i.e SignTool.exe.

ImportantOn Windows 7 dual signing is supported only by SignTool.exe and it requires you have these updates installed, along with the Windows SDK v8.0 or newer.