This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
hsteinbeck
Level 5
‎Aug 15, 2008 03:16 PM

How secure is the certificate password stored in an install shield 2009 project?

I want to bundle the msi file in the setup.exe, but I want the msi package signed, because I am caching it. To do this I was going to use Install Shield’s facility to sign the msi file and the setup.exe. In the past the password to use the certificate was stored in an unsecure manner in the ISRelease table. I did a test run and that field does not appear to be populated anymore.

So is the password better protected now? Could it still be possible to extract the password somehow?
Labels (1)
Labels
0 Kudos
(1) Reply
MichaelU
Level 12 Flexeran
Level 12 Flexeran
‎Aug 18, 2008 10:29 AM

If you have access to the project file, you can get the password back; it just takes more than an accidental glance at the table now. From a theoretical standpoint: since the obfuscation is reversible, it's possible for someone else to perform the reverse operation. From a practical standpoint: since the password is passed to other applications (namely signcode or signtool), it's possible to intercept this.
0 Kudos