Post-Build Events Output Path for Projects and Deployment Project

Question

I am working on a program that needs to have each exe signed before being packaged in the MSI deployment project. I've tried using VS2010's Signing tools ("Sign the Assembly"), but the key file doesn't seem to like VS2010. VS doesn't ask for a password or any of that and doesn't sign the exe's. So, I've been running the sign tool via post-build command line.

Before we get too involved, we should take a look at the current structure of the application (I don't have control over this. I'm just making the updater and trying to test packaging):

• parent folder
  • Main EXE Project Folder
  • Updater EXE Project Folder
  • Service Project Folder
  • Installer Settings (uninstall processes, etc) Project Folder
  • Deployment Project Folder
  • Signing Files Folder

I read somewhere that the deployment project generates the exe in a different folder (obj/x86/Release/app.exe instead of bin/Release).

My current method of ensuring I sign the file is by hardcoding paths like this:

"..\..\..\..\SigningFolder\signtool" sign /f "..\..\..\..\SigningFolder\myKeyFile.p12" /p mypassword /t http://somecertsite.com "..\..\..\..\Updater\Updater\obj\x86\Release\Updater.exe"

"..\..\..\..\SigningFolder\signtool" sign /f "..\..\..\..\SigningFolder\myKeyFile.p12" /p mypassword /t http://somecertsite.com "..\..\..\..\Updater\Updater\bin\Release\Updater.exe"

This makes my eyes bleed. (This happens for each EXE and after the MSI is built, I sign the MSI as well.

So, my question:

• Is there a way to target the absolute output of the path? If I use $(OutDir), it points to bin\Release when compiling via the deployment project. (Or generally... Is there a better way to do this?)

Answer 1

My method is to add the following line in my deployment project PostBuildEvent property (assuming I need to use a certificate stored on a smart card (/a option) and that the signtool path can't be determined via environment variables):

call "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a /d "$(SolutionName)" /q "$(BuiltOuputPath)"

This will sign the generated MSI, but not the enclosed EXE files. For this, I also add the following lines in the Post-build event of my C# projects (Project > Properties > Build Events):

call "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a /d "$(SolutionName)" /q "$(TargetDir)$(TargetFileName)" "$(ProjectDir)obj\$(ConfigurationName)\$(TargetFileName)"

Doing so will sign after a successfull build:

1. The EXE file builded from my C# project (under bin directory)
2. The EXE file used by my deployment project as "Primary output" (under obj directory)
3. And finally the MSI package

Then, at the end, I don't have any executable file unsigned which is what I was looking for :)