Step-by-Step Guide to Digitally Signing WiX Installer Packages
Digital signing ensures software integrity and authenticity. It’s a fundamental practice in digital safety practices that establishes trust between software developers and users.
While many packaging tools support digitally signing, some require more technical setup than others.
In this article, I’ll show you how to digitally sign installer packages created with WiX and introduce a simpler alternative using Advanced Installer.
Handling Package Signing in WiX
To sign your installer packages, you need a valid digital certificate from a trusted certificate authority (CA). Assuming you already have it, here’s how to sign your packages using WiX Toolset.
Check out this article: Where can I purchase a code signing certificate? Recommended providers. Explore our recommended providers and find the best options for securing your certificate.
Sign MSI Installers
You can configure the MSBuild to sign the MSI files automatically as part of the build process, using the SignTool.exe. This requires modifying your .wixproj file to invoke the signing tool after the MSI is built:
1. The first step is to enable signing by setting the SignOuput property to true.
<SignOutput>true</SignOutput>
2. Create a SignMsi target in your .wixproj file to call the SignTool.exe.
<Target Name="SignMyMsi"> <Exec Command='signtool.exe sign /v /f $(Certificate) /p password "%(SignMsi.FullPath)" ' /> </Target>
Signing Bundles with WiX
Signing bundles is more complex than signing MSIs. A bundle contains multiple components, including the burn engine, bootstrapper application, and bundle manifest.
To fully sign a bundle, you have to sign two parts:
- The burn engine - to ensure the integrity of the installation process.
- The entire bundle - to ensure the integrity of all included content.
Here are the steps to sign a bundle using WiX:
1. Enable signing by setting the SignOutput property to true.
<SignOutput>true</SignOutput>
2. Create a SignBurn in your .wixproj to invoke your signing tool to sign the Burn engine.
<Target Name="SignBurn"> <Exec Command='signtool.exe sign /v /f $(Certificate) /p password %(SignBurn.FullPath)' /> </Target>
3. Create a SignAllBundle target in your .wixproj to sign the full bundle:
<Target Name="SignBundle"> <Exec Command='signtool.exe sign /v /f $(Certificate) /p password %(SignBundle.FullPath)' /> </Target>
Signing MSIX Installers
WiX doesn’t natively support creating or signing MSIX packages.
However, you can use the FireGiantExtension. The extension provides the necessary tools to build and sign MSIX packages.
You can add the extension to your project using the NuGet Package Manager in Visual Studio. It’s available as the FireGiant.HeatWave.BuildTools.Msix.wixext package.However, you’ll need a valid license to use it.
Once the extension is installed, you can use the SignMsix target to execute the signtool. The SignMsix is a pre-built MSBuild target provided by the extension to sign the MSIX packages.
The SingnMsix target uses the SignMsixArguments property to store the arguments that will be passed to the signtool.exe, including certificate path, password, and other options.
<OutputType>Msix</OutputType> <SignOutput>true</SignOutput> <SignMsixArguments>/fd SHA256 /a /f path\to\your.pfx /p yourpfxpwd</SignMsixArguments>
For advanced scenarios, you can override the SignMsix target.
<Target Name="SignMsix"> <Exec Command='"$(MsixSignTool)" sign /fd SHA256 /a /f pathTo Your.pfx /p yourpfxpwd "@(SignMsix)"' /> </Target>
Digitally Sign Your Installer Using Advanced Installer
Advanced Installer simplifies the entire digital signing process through its GUI.
You can digitally sign files such as MSI, MSIX, EXE, or CAB files with just a few clicks.
If you want to learn how to create an installer package using Advanced Installer, check out our dedicated article for MSI and here for MSIX creation.
Start your 30-day free trial of Advanced Installer to explore how easy and efficient it can be to digitally sign and package your software—no command line needed.
Start Free Trial Now
To sign your installer packages in Advanced Installer, follow these steps:
1. Go to the Digital Signature tab.
2. Activate the “Enable signing” option.
3. Choose your code signing certificate.
4. In the Signature Properties section, enter a description that will be displayed to users by the Windows User Account Control.
For a comprehensive guide to digital signing for applications and software developers, check out the Advanced Installer Digital Signing Guide.
Conclusion
Digital signing ïs essential for enhancing software security.
While WiX can be a solution for signing installer packages, it requires technical setup and scripting.
On the other hand, Advanced Installer offers a more user-friendly GUI-driven approach to signing installer packages, making the process faster and easier—especially for those who prefer visual tools over manual configuration.
Whether you’re signing MSI, MSIX, or EXE packages, choosing the right tool can save you time and reduce errors in your release process.
FAQ: Step-by-Step Guide to Digitally Signing WiX Installer Packages
Why is digital signing important for installer packages?
Digital signing ensures software integrity and authenticity, establishing trust between developers and users by verifying that the software hasn’t been tampered with.
What tools can be used to sign WiX installer packages?
You can use SignTool.exe in conjunction with WiX’s MSBuild system to sign MSI and bundle packages.
How do I sign an MSI installer with WiX?
You need to enable the SignOutput property and create a SignMsi target in your .wixproj file that invokes signtool.exe.
Can I sign MSIX packages with WiX?
WiX does not natively support MSIX signing, but you can use the FireGiantExtension to add this capability.
What’s an easier alternative to signing with WiX?
Advanced Installer provides a GUI-based solution for signing installer packages without requiring scripting or command-line execution.
