How to sign installation files of a Visual Studio .msi

Alex picture Alex · Oct 30, 2009 · Viewed 19.6k times · Source

I recently purchased an authenticode certificate from globalsign and am having problems signing my files for deployment. There are a couple of .exe files that are generated by a project and then put into a .msi. When I sign the .exe files with the signtool the certificate is valid and they run fine. The problem is that when I build the .msi (using the visual studio setup project) the .exe files lose their signatures. So I can sign the .msi after it is built, but the installed .exe files continue the whole "unknown publisher" business. How can I retain the signature on these files for installation on the client machine?

Answer

gyzpunk picture gyzpunk · Mar 7, 2013

You can add the following PostBuildEvent to your VS Setup project (project properties):

Windows 8.0:

"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a  $(BuiltOuputPath)

Windows 10:

"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /a  $(BuiltOuputPath)

Project properties window

See this MSDN documentation for signtool usage. You can use the /f flag to specify the signing certificate, /p to specify the cert's password, etc

Also, note that $(BuildOuputPath) is misspelled. This is on purpose. Thanks microsoft...