So having tested this further on windows. There are two options in installshield, option1  was to use the pfx  file and option2 was to use the local certificate store. Provided you have imported your digicert certificate into your local "Manage user certificate", select  option2 and the code signing certficate should appear in the list. Save the ism file and build as normal. The signing seems to work. Verified that all the binares are signed as expected.

Are you using a certificate that meets the new private key requirements for code signing certs? Which means, are you using a cert where the private keys and certificates must be stored and installed on tokens or HSMs?

Option 2 works just fine with an old cert (that won't work anymore once it expires) I generated a new cert where the private keys are stored in HSM provided by digicert. Option 2 does not seem to handle this case.

It seems my initial sync early on didn't work, I synced again and this now works, thank you so much!

To be honest, what you are saying about using digicert tools etc to sync a certificate is really unclear to me. I have the certificate on a usb smart token and was told there is no way to sign code anymore without the safenet client and the token because you cannot export it to pfx.

So in the end I decided to sign the files without using Installshield.
I run a batchfile that signs all dll and exe files in the source folder using signtool.
Then I create the setup using Installshield.
At last I sign the setup.exe again using signtool.

This works, but it's a lot more work then before with the pfx in Installshield.

But as I understand it this leaves the MSI file that InstallShield creates when compiling the installer unsigned.  I think some people have said this causes Windows to stop at the point Setup.exe decompresses it and tries to run it.  Am I missing something?

We haven't noticed that, and neither did our customers.
In the beginning Defender did block the setup in some cases, probably due to the new cert, but when you clicked more info in order to proceed it showed our company name etc and you could continue without any further warnings.

Hi @jeroenvels, 

 If you dont want to save directly in ism file, you can pass the bat file which will be used to sign installer while build the project. Refer screenshot.

My version of InstallShield 2021 does not show Precompression Events in events.  Did they introduce this in 2022 only?  (or worse - does this require the premier version? )  I have the professional version

We are using 2021 R2 Premier and it has the events. 

Events have been around for years, however they are only available in the Premier edition and not Professional.

We're using Azure HSM which signs via AzureSignTool.  That requires API credentials to talk to Azure's key vault.  Is there a way to pass build-time only properties to the BAT?  Setting properties on the install itself isn't allowed because they would be stored in the MSI and exposed.  Hard-coding the crediatials in the BAT would also expose them.  How can we pass build-time only properties to the build?

@varul I see competitors have a native configuration UI for using cloud HSMs.  It would be great to have assurance that InstallShield will get that feature soon. 

I stayed back on 2021 because I'm a very small business and IS was just getting too expensive to maintain for me.  Now to learn that I not only have to restart my subscription (I think they make you purchase all over again once you lapse) AND upgrade to Premier to access the Precompression Events just takes IS off the table for me.  It would be rude to mention the competitor by name, but, yes - for a lot (I mean A LOT) less money I can get what I need.  That's sad as I've amassed a great deal of esoteric comfort with IS with a large body of work.  But, with IS Premier at the cost of 1/3rd of a new car (Premier sub is $7,423 as of 9/22/23) it's kind of a no-brainer.  My CFO would slay me for authorizing that kind of expense right now.  It's been a tough year...

Thanks - this is helpful.  I am still using InstallShield 2021 - is this version going to be compatible with the new signing methods using a local USB key instead of a pfx file?

Yes, because the SafeNet Authentication Client (SAC) installs the certificate in the Local User Certificate Store. See my comment below from ‎Sep 22, 2023 03:18 AM.

Did you ever find a solution to this or get any answers? 

No, in the end I figured out a work around for myself (see reply in this topic) and that works for now. Still haven't been able to find anything else that works.