PDA

View Full Version : Creating digitally signed MSIs



sethhitch
06-28-2005, 05:03 PM
Hi, I'm using InstallShield 11 and I'd like to digitally sign the .msi file that results from building my Basic MSI Project. I have a release that is set up to sign using the following properties:

Sign Media: Windows Installer package only
Certificate URL: http://www.mycompany.com
Software Publishing Credentials: <PATH_TO_SIGNING_FILES>\test.spc
Corresponding Private Key: <PATH_TO_SIGNING_FILES>\test.pvk

When I build the release the log shows the following:

Building CAB files...
Data1.cab built
Files built
Media table successfully built
Performing Upgrading and Patching Validation
Started signing MyProgram.msi ...
Succeeded

However, if I view MyProgram.msi using Orca I see no entries in the MsiDigitalSignature or MsiDigitalCertificate tables. Is InstallShield not populating those tables? Does it simply sign the entire file? Where does the actual signature live?

Additionally, is there any way to get InstallShield to use SHA1 for hashing instead of MD5?

_doog_
06-29-2005, 08:45 AM
AFAIK Installshield signs the setup.exe only, that they sign the msi file is new to me, must be introduced after 9.

anyway:
MsiDigitalSignature and MsiDigitalCertificate are populated with the signatures from the cab files. if those are populated, windows installer validates the signature of the cab files during installation. it may be possible that if the cab-files are included within the msi package that they are not signed. however, they should be signed if the cab-files are outside the package.

if they are not signed from installshield, there is a tool within the WindowsInstaller SDK to populate the tables with the signatures from the cab files.

MichaelU
06-29-2005, 10:16 AM
The MSI's digital signature is viewable in the Explorer file properties view, Digital Signatures tab, like a signature on an EXE. I thought we supported this back in DevStudio 9 and probably earlier, but I don't have it handy to check. Even if we didn't, signcode.exe can sign an MSI file.

MartinMarkevics
06-29-2005, 11:20 AM
We use MD5, but you could call signcode.exe to sign the MSI (which is what we do anyway) and specify SHA1 hashing. However, note that if you choose to sign the MSI package through InstallShiled (assuming you are including setup.exe in your setup), setup.exe verifies the digital signature of the MSI package whereas if you signed it yourself setup.exe would not verify the digital signature.

Also, just a quick clarification on the MsiDigital* tables... As _doog_ mentioned, these tables are only populated when the external CABs are signed, which doesn't sound like your case. We do support this functionality though. In that case, MSI verifies the digital certs of the .cab files during the installaiton.