How to sign installation files of a Visual Studio .msi
I recently purchased an authenticode certificate from globalsign and am having problems signing my files for deployment. There are a couple of .exe files that are generated by a project and then put into a .msi. When I sign the .exe files with the signtool the certificate is valid and they run fine. The problem is that when I build the .msi (using the visual studio setup project) the .exe files lose their signatures. So I can sign the .msi after it is built, but the installed .exe files continue the whole "unknown publisher" business. How can I retain the signature on these files for installation on the client machine?
Answer
You can add the following PostBuildEvent to your VS Setup project (project properties):
Windows 8.0:
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a $(BuiltOuputPath)
Windows 10:
"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /a $(BuiltOuputPath)
See this MSDN documentation for signtool usage. You can use the /f flag to specify the signing certificate, /p to specify the cert's password, etc
Also, note that $(BuildOuputPath) is misspelled. This is on purpose. Thanks microsoft...