Digital Signature Page - Merge Module Project

Advanced Installer can digitally sign all of the following files that it creates: EXE, MSI, MSP (patches) and CAB files. The EXE, MSI and MSP files are always signed while the CAB files are signed only if they are not embedded in the MSI.

You also have the possibility to individually sign each file from your package by enabling this option in the File Properties Tab, Files and Folders view.

Enable signing

Checking this checkbox will enable the actual signing of the package.

Reset All

This button can be used to clear all fields.

Software Publisher Certificate

Use from Personal certificate store

Choose one of the currently installed certificates.

<Most suited certificate> - When this value is selected, "SignTool.exe" will sign the files with the best certificate found in the current user's Personal certificates store.

Command line examples:

signtool sign /a /d <desc.> /t "http://timestamp.digicert.com" <file_name>
signtool sign /a /d <desc.> /fd SHA256 /tr "http://timestamp.entrust.net/TSS/RFC3161sha2TS" /td sha256 <file_name>

NoteTo view or manage certificates inside the system store, you can use use certmgr.msc tool (Press Windows Key + R, type "certmgr.msc" and press enter).

Use file from disk

When this option is selected the certificate used to sign the files is loaded from a local disk file. Every time you select this option, you will be prompted to select the path to the certificate from the hard-drive.

Certificate - This field contains the path on disk to the certificate. You can use the [ ... ] button in this field to select one from your hard-drive.

NotePFX certificates are recommended, you can use either pvkimprt or pvk2pfx to create a PFX certificate from the SPC and PVK files. If the PFX file is protected with a password, the “Selected certificate requires password. Select how to transmit it to signing tool:” section will be visible.

  • pvk2pfx is available as part of the Platform SDK.

Private Key - In this field you can set the “Private Key”. You can use the [ ... ] button to select one from your hard-drive. PFX certificates do not have a separate private key file, thus this field is hidden by default.

Enter password each time project is built - You will be prompted to enter the password when the MSI is built.

NoteAdvanced Installer caches the password for PFX files and hence you will be prompted for the password only once.

Store encrypted password in project file - The encrypted password will be stored in the project and used at build time to sign the installation files. This option is useful for unattended builds.

Password - The password for the PFX certificate.

Confirm password - Confirm the PFX certificate password.

Command line examples:

signtool sign /f <my_cert> /d <desc.> /t "http://timestamp.entrust.net/TSS/AuthenticodeTS" <file_name>
signtool sign /f <my_cert> /d <desc.> /fd SHA256 /tr "http://timestamp.entrust.net/TSS/RFC3161sha2TS" /td sha256 <file_name>

Signature Properties

Description

This field contains the signed content's description. It will be showed by the Windows UAC after you click the "Install" button.

Description URL

This field contains a URL for a complete description of the signed content. The URL will be used when the package is launched from an untrusted location (for example from the network) in the "Open File - Security Warning" dialog, where the "Name" field will become a link to the URL you specified.

Timestamp service URL

A digital certificate has a validity period. After that period expires the signed code is not considered certified anymore. To prevent that a timestamp can be placed at the signing time which will show that the certificate was valid when the signing was done.

The “Timestamp service URL” specifies the URL of the timestamp server. An examples of such a server is:
https://sectigo.com/resource-library/time-stamping-server.

ImportantSignature properties are required to display the exact MSI name on the UAC prompt.

Timestamp delay (ms)

In this field you can configure how many milliseconds Advanced Installer will wait between two consecutive signing operations

Sign only for modern operating systems, Windows 7 or newer ​(recommended)​

If you enable this option your package will be signed only with SHA256 hashing algorithm.

By default Advanced Installer uses SHA256 as hashing algorithm, as recommended by Microsoft. However, it is very important to know that packages signed with SHA256 will not have their digital signature recognized on XP/2003 and Vista/2008 machines.

ImportantThis option can be used only with SHA256 certificates. For SHA1 certificates this option will be ignored and only a SHA1 signature will be added for each file.

Sign for compatibility with all operating systems, including Windows XP/Vista ​(deprecated)​

This option enables Advanced Installer to perform dual signing or to sign only with SHA1 hashing algorithm.

The dual signing process follows Microsoft documentation, ensuring your digital signature is correctly seen on all operating systems, including XP/2003 and Vista/2008.

ImportantDual signing will succeed only if you have a SHA-2 certificate. SHA-1 certificates can only be used in certain scenarios, as explained in this article.

Patching

Enable installing of patches for this product without elevation

By enabling this option you don't need elevated privileges when applying the patch if both patch and target MSI are signed using the same certificate.

TipAn administrator can disable least-privilege patching on the computer by setting the DisableLUAPatching policy to 1. You can set the MSIDISABLELUAPATCHING property to 1 during the initial installation of an application to prevent least-privilege patching for that application only.

NoteThis option is not available for Patch Project.

Files Configured for Signing

A dynamically populated list of the files which will be signed when "Enable signing" option is checked. There are two listed categories, project files and output files.

Optionally, you can add, remove or locate project files from the context menu. The add/remove context operations simply enable/disable the project file's "Digitally sign the file" option.

Signing utilities

SignTool.exe

The default tool, available with the Windows SDK v8.0 or higher, used by Advanced Installer. This tool can be used only with certificates exported as PFX files. You can use either pvkimprt or pvk2pfx to create a PFX certificate from the SPC and PVK files.

ImportantOn Windows 7 dual signing is supported only by SignTool.exe and it requires you have these updates installed, along with the Windows SDK v8.0 or newer.