I was thinking of doing the same thing but since our Setup.exe includes an MSI, the MSI won't be signed. Are you not using Setup.exe or did you find a way around this?
If you are using premier edition of installshield, you can use the pre compression event available under event tab of releases to sign the msi using your signtool command, which will sign this msi before compression.
This pattern would work but doing it this way would expose the secrets as they would either be in plain text in the ism file or would have to be passed in as a parameter of the build and stored as a property at runtime.
If you dont want to save directly in ism file, you can pass the bat file or any script to signing the msi using event, which will be used to sign installer while build the project.
Its not necessary to pass the password and certificate directly in events. Refer screenshot.
What version you want to pass it to signtool, I dont think signtool support productversion property. You can check supports properties of signtool in azure documentation.
If You want to pass the version to setup.exe you can pass it to iscmdbld.exe
@varul I'm writting an exe to be called during the command line event to sign the MSI. I want to pass a variable to it during that command line. I have -y being passed into the ISBuildCmd but I want to be able to pass [ProductVersion] to my exe during the pre compression event.
@varul I tried using this method and call the signtool during the "Precompression Event". I am getting zero errors in my log and it looks like my event is completing successfully. Once I have an exe result, I extracted my MSI and it is not signed.
