How to sign installation files of a Visual Studio .msi

Question

I recently purchased an authenticode certificate from globalsign and am having problems signing my files for deployment. There are a couple of .exe files that are generated by a project and then put into a .msi. When I sign the .exe files with the signtool the certificate is valid and they run fine. The problem is that when I build the .msi (using the visual studio setup project) the .exe files lose their signatures. So I can sign the .msi after it is built, but the installed .exe files continue the whole "unknown publisher" business. How can I retain the signature on these files for installation on the client machine?

Answer 1

Visual Studio creates two folders at compile time: obj and bin. Turns out, at least in my case, the output will always be copied from the obj folder into the bin folder. I was signing the executables in the bin folder only to have them overwritten and then packaged into the msi. Signing the executables in the obj folder solved the problem.

Answer 2

You can add the following PostBuildEvent to your VS Setup project (project properties):

Windows 8.0:

"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a  $(BuiltOuputPath)

Windows 10:

"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /a  $(BuiltOuputPath)

See this MSDN documentation for signtool usage. You can use the /f flag to specify the signing certificate, /p to specify the cert's password, etc

Also, note that $(BuildOuputPath) is misspelled. This is on purpose. Thanks microsoft...

Answer 3

Are you positive the installer project is looking at the signed binary and not the unsigned one ?

I'm not using the msi builder much, but I would find it surprising that it modifies the files it packages at all.