Digitally Signing Install Shield installer

StackOverflow https://stackoverflow.com/questions/16188064

Question

I was recently given a VB.NET project for fixing some bugs and creating an installer for it. I was told to use Install Shield LE.

All went well with creating the install script but Windows 8 is giving me a smart screen warning when downloading the application from a web site and trying to install it.

I am aware of Windows 8 policy where popular applications get more "trust points" and become popular but the application is targeted for a fairly small audience of people therefore we can not rely on this option. Even more, people without proper knowledge would be repelled by the warning message and that could cause MS to never raise the trust for the application.

My question is, do I have to sign both - the application and the installer with a certificate? If so how do I sign the installer, as there is a signing tab for the project but I can't find one for the installer.

Bonus points if anyone can tell me if acquiring a proper certificate will remove the warning message telling this isn't a commonly downloaded file and might be dangerous from chrome/IE when downloading the application. There are many threads about this, I know, but most of them suggest adding the site to webmaster tools but that hasn't helped and we're still receiving the message

Thanks.

Was it helpful?

Solution

If I have read your post correctly then you are talking about an application as opposed to a website, and for that you would need a code signing certificate. Certificates that sign websites are different so first and foremost decide what it is that you are producing and want to sign.

Having decided that then you need to decide who you will use to supply your certificate. Typical sources would be VeriSign, Thwaite or Globalsign to name but three. All charge different prices but essentially do the same thing.

Once you have the certificate then the installer that you use to build your application signs the code files you select and the actual installer (msi or exe) itself.

That should eliminate the message that you now see warning people about potentially dangerous files that they are about to download.

I cannot stress enough however that you need to be clear about which type of certificate you need BEFORE you go ahead and buy one. I think from your description you are talking about a code signing certificate but do check first.

OTHER TIPS

Following CAB forum regulation you will need to have an Extended Validation code signing in order to bypass the smart screen filter.

Extended Validation code signing will establish immediate trust with the machine, as you go through a more stringent validation process to obtain it! (or at least that's the rationale behind it!)

I think you can get an extended validation code signing either from SYmantec or GLobalsign.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top