All of the files that Advanced Installer creates can also be digitally signed, including EXE, MSI, MSP (patches), and CAB files. While the EXE, MSI, and MSP files are always signed, the CAB files are only signed if they are not incorporated in the MSI.
By checking this box, you will be able to sign the package.
By pressing this button, you will clear all fields.
Software Publisher Certificate
Use from certificate store
Choose one of the currently installed certificates.
We detect certificates installed in multiple stores, such as:"Root" ,"CA" , "Trust" , "TrustedPeople" , "TrustedPublisher" , "AuthRoot" , "CertificateAuthority".
<Most suited certificate> - When this option is chosen, "SignTool.exe" will utilize the best certificate available in the current user's Personal certificates store to sign the files.
Command line examples:
signtool sign /a /d <desc.> /t "http://timestamp.entrust.net/TSS/AuthenticodeTS" <file_name>
signtool sign /a /d <desc.> /fd SHA256 /tr "http://timestamp.entrust.net/TSS/RFC3161sha2TS" /td sha256 <file_name>
To view or manage certificates inside the system store, you can use certmgr.msc tool (Press Windows Key + R, type "certmgr.msc" and press enter).
Use file from disk
Choose this option and, from a local disk, the certificate used to sign the file is loaded. You will be requested to select the path of the certificate from the hard disk each time you pick this option.
Certificate - This field contains the path on disk to the certificate. You can use thebutton in this field to select one from your hard-drive.
PFX certificates are preferred; you may generate a PFX certificate from the SPC and PVK files using either pvkimprt or pvk2pfx. If the PFX file is protected with a password, the “Selected certificate requires password. Select how to transmit it to signing tool:” section will be visible.
- pvk2pfx is available as part of the Platform SDK.
Private Key - The “Private Key” can be specified in this field. You can choose one from your hard drive by pressing thebutton. This field will be hidden by default, though, due to the fact that the PFX certificates don't have a separate private key file.
Enter password each time project is built - When the MSI is created, you will be required to fill in the password.
Because Advanced Installer remembers the password for PFX files, you will only be asked for it once.
Store encrypted password in project file - The encrypted password will be saved in the project and used to sign the installation files throughout the build process.This is a valuable option for unattended builds.
Password - The password for the PFX certificate.
Confirm password - Confirm the PFX certificate password.
Command line examples:
signtool sign /f <my_cert> /d <desc.> /t "http://timestamp.entrust.net/TSS/AuthenticodeTS" <file_name>
signtool sign /f <my_cert> /d <desc.> /fd SHA256 /tr "http://timestamp.entrust.net/TSS/RFC3161sha2TS" /td sha256 <file_name>
If AI is launched elevated, we are also detecting certificates installed per-machine.
The description of the signed material is stored in this field. After you click the "Install" button, the Windows UAC will display it.
This field contains a URL for a complete description of the signed content. When the package is opened from an untrusted place (for example, the network), the URL will be utilized in the "Open File - Security Warning" dialog box, where the "Name" field will become a link to the URL you supplied.
Timestamp service URL
A digital certificate has a validity period. After that time period has expired, the signed code is no longer deemed certified. To avoid this, a timestamp can be added to the signature time, indicating that the certificate was valid at the moment of the signing.
The “Timestamp service URL” specifies the URL of the timestamp
server. An example of such a server is:
Signature properties are required to display the exact MSI name on the UAC prompt.
Sign only for modern operating systems, Windows 7 or newer (recommended)
If you enable this option your package will be signed only with SHA256 hashing algorithm.
By default Advanced Installer utilizes the SHA256 hashing method, which Microsoft recommends. It's crucial to note, however, that packages signed using SHA256 will not be recognized by PCs running Windows XP/2003 or Vista/2008.
This option can be used only with SHA256 certificates. For SHA1 certificates this option will be ignored and only a SHA1 signature will be added for each file.
Sign for compatibility with all operating systems, including Windows XP/Vista (deprecated)
This option enables Advanced Installer to perform dual signing or to sign only with SHA1 hashing algorithm.
The dual signing procedure conforms to Microsoft guidelines, guaranteeing that your digital signature is visible on all operating platforms, including XP/2003 and Vista/2008.
Dual signing will succeed only if you have a SHA-2 certificate. SHA-1 certificates can only be used in certain scenarios, as explained in this article.
Enable installing of patches for this product without elevation
If both the patch and the target MSI are signed with the same certificate, you won't be required to have elevated privileges to apply the patch.
An administrator can disable least-privilege patching on the computer by setting the DisableLUAPatching policy to 1. You can set the MSIDISABLELUAPATCHING property to 1 during the initial installation of an application to prevent least-privilege patching for that application only.
This option is not available for Patch Project.
Files Configured for Signing
When the "Enable signing" option is enabled, a dynamically filled list of the files that will be signed is displayed. Project files and output files are the two categories given.
You may also use the context menu to add, remove, or locate project files. The add/remove context operations simply enable/disable the "Digitally sign the file" option in the project file.
Advanced Installer uses the default tool, which is available with the Windows SDK v8.0 or above. This utility can only be used with certificates that have been exported as PFX files. To construct a PFX certificate from the SPC and PVK files, use either pvkimprt or pvk2pfx.