How to digitally sign an MSI installer using PowerShell command line
Ensuring the security and integrity of software applications is a key part of modern digital safety practices. Digitally signing an MSI file from the command line is a straightforward process that enhances the security and trustworthiness of your application.
This article simplifies the process of applying digital signatures to MSI files using PowerShell, offering insights into an alternative graphical method via Advanced Installer's user interface.
Prerequisites for Digital Signing MSI Files
Before starting, ensure you have a valid code signing certificate from a trusted certificate authority (CA) or generate a self-signed certificate.
For more details on PFX, check out our blog article "What is a Code Signing Certificate and How to Ensure Digital Trust for Your Application," where we dive deeper into the topic.
Remember to export your certificate to a PFX file format and keep the password handy. A Personal Information Exchange (.pfx) file is a password-protected certificate commonly used for code signing your application. It derives from the PKCS 12 archive file format certificate, and it stores multiple cryptographic objects within a single file.
Check out our blog post "What is a PFX Certificate and How to Generate It" for a more in-depth look at PFX.
How to Digitally Sign Your MSI File from the Command Line Using PowerShell
To digitally sign an MSI file from the command line, we’ll use the PowerShell Set-AuthenticodeSignature cmdlet.
The Set-AuthenticodeSignature cmdlet is a PowerShell command that applies a unique digital signature to files, including executables (EXE files), dynamic-link libraries (DLL files), MSI files, scripts, and more.
To digitally sign an MSI file, you'll need to specify the path to the file you want to sign using the -FilePath parameter and the code signing certificate using the -Certificate parameter.
Here’s how you can accomplish this using the PowerShell Set-AuthenticodeSignature cmdlet:
1. Open PowerShell with administrative privileges.
2. Securely store the certificate password by converting the certificate password into a secure string:
$certificatePassword = ConvertTo-SecureString -String "YourCertificatePassword" -Force -AsPlainText
3. Specify the path to your certificate:
$certificatePath = "C:\Path\To\YourCertificate.pfx"
4. Create an instance of the certificate object and import the certificate:
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certificate.Import($certificatePath, $certificatePassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
5. Specify the path to your MSI file:
$msiFilePath = "C:\Path\To\YourFile.msi"
6. Apply the digital signature to the MSI file using the provided certificate:
Set-AuthenticodeSignature -FilePath $msiFilePath -Certificate $certificate
7. Check the digital signature information of the MSI file to verify if the signing was successful:
Get-AuthenticodeSignature -FilePath $msiFilePath
How to Digitally Sign Your MSI File Using Advanced Installer’s GUI
Alternatively, Advanced Installer's GUI simplifies the digital signing process by integrating signtool.exe, eliminating the need for command-line operations. This functionality is designed to save time and streamline the signing process.
Experience Advanced Installer's digital signing capabilities firsthand with its 30-day free full-feature trial.
Start Free Trial
Video Tutorial Available
Stay Ahead of the Curve in Application PackagingTo keep up with more insights and trends in software packaging and deployment, subscribe to our newsletter. Get the latest updates and expert advice delivered right to your inbox.Subscribe to Our Newsletter
Written by
Radu Popescu
Technical Writer at Advanced Installer, Technical Engineer on various enterprise client projects. Experienced in Software Packaging, SCCM infrastructure and System Administrating. Tech enthusiast and music producer in his spare time.