Signing with Extended Validation Authenticode Certificate + Security Token?
With Windows 8, application security has become tighter so we decided to upgrade to an extended validation authenticode certificate when we renewed our cert. There have been a few minor bumps in the road on the building of our application, but, basically, we don't use the built-in signing tab in Visual Studio, and simply created a post build event that signs the output file. We thought, great! All is well, but then we turned our attention to our installer... Oh, my, my...
Like Visual Studio, our project used the built-in signing feature with our previous authenticode certificate. Like VS, we can no longer use the built-in signing feature, because there is no way to export the cert to a pfx... EV Authenticode certs do not permit it... The passwords live on the security token plugged in your USB port. So, I figured... No big deal, I will simply run a batch file after building setup.exe, and sign the installer. Voila! It worked... Kind of... The installer is signed, but the MSI inside it is not signed. Argggg!
I know that I cannot be the only person who is wrestling with this issue, but I have not found anything, really, about how to accomplish this task on the Internet. I am hoping that you might have some suggestions...
The only idea that I have is to build two installer projects. One that builds the MSI... I sign it manually... Another project that links to the MSI project... I build the setup.exe output... I sign it manually. In a work, YUCK! I am hoping for some better ideas. There must be a lot of people trying to take advantage of the EVA certificates, but I sure haven't found them yet!!!
Anyway, thanks for your time and, hopefully, suggestions!
The Premier edition of InstallShield has support for build events, which let you specify commands that run before, during, and after builds. Perhaps you could use the Precompression Event, which runs after InstallShield has built the .msi package and (if applicable) .cab files, but before the .msi package has been streamed into the Setup.exe file. For this event, you could enter the command to sign your .msi package.
For more information, see Specifying Commands that Run Before, During, and After Builds.
I have simmilar problem. Utilizing precompression event sounds good to me, unfortunately, signing with the hardware token is required to be attended, because of password prompt popping up.
The Installshield Premier edition trial is limited, and does not allow testing the precompression event(we currently use Professional edition), so i'm curious, if the IS build process support interactive pop-ups and will wait for the user to supply the password. I'd really like to know that before upgrading.
I tried to follow your idea of building two projects, but i'm not sure if I know what you meant by 'project that links to the MSI project'. Could you please clarify this for me?
I'll live with YUCK
I have limited edition of InstallShield. When you say create a separate project, do you mean create a CDROM project, then sign the MSI. Then in the singleimage build just add the single MSI file? Will that work without creating an MSI of an MSI?
I don't want to buy premier edition to solve this. Flexera needs to just do what Windows declares as essential today.