Signing with EV Code signing
We use to sign with a code signing cert and a pfx file but now we use an EV Code signing certificate that requires a USB dongle and does not have a .pfx file.
Is there a way to sign via installshield? We use to just sign the exe after the installshield compile, but now we are having issues with the setup.exe that is placed inside the C:\Program Files (x86)\InstallShield Installation Information\<GUID>\ location during install not being signed causing antiviruses to quarantine it. I assume it is because of us manually signing after the fact so that setup.exe is not signed.
See you can achieve configuring "Precompression Event" to sign the msi and setup.exe before the compression.
And also, try configuring Installshield to sign by giving the certificate thumbprint directly in the "Digital Certificate Information" field under "signing" tab in the release view.
Thanks and I think we have it working now.
I'm a little concerned in the future though.... I know EV Code signing is really pushing to do it manually and not automated for security purposes. I know they have clamped down on this more and more (moving to dongle from pfx file, not allowing rdp for signing etc) In the past what we did was sign the generated exe after installshield compile time.
This worked in that the smart screen filter etc passed and the exe was signed. The problem we run into now is the setup.exe that installshield unpacks into the C:\Program Files (x86)\InstallShield Installation Information folder that gets called during uninstall or upgrades will not be signed unless done through installshield at compile time.
Just curious to see in the future if they make EV code signing more and more difficult to automate, what will happen if can't sign that setup.exe?
For now we are good though! Thanks for the help.