cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
afogiel
Level 3

Signing with EV Code signing

Jump to solution

We use to sign with a code signing cert and a pfx file but now we use an EV Code signing certificate that requires a USB dongle and does not have a .pfx file. 

Is there a way to sign via installshield?  We use to just sign the exe after the installshield compile, but now we are having issues with the setup.exe that is placed inside the C:\Program Files (x86)\InstallShield Installation Information\<GUID>\ location during install not being signed causing antiviruses to quarantine it.  I assume it is because of us manually signing after the fact so that setup.exe is not signed.

Thanks!

Labels (1)
0 Kudos
(1) Solution
banna_k
Revenera
Revenera

@afogiel :

 See you can achieve configuring "Precompression Event"  to sign the msi and setup.exe before the compression.

And also, try configuring Installshield to sign by giving the certificate thumbprint directly in the "Digital Certificate Information" field under "signing" tab in the release view.

View solution in original post

(7) Replies
banna_k
Revenera
Revenera

@afogiel :

 See you can achieve configuring "Precompression Event"  to sign the msi and setup.exe before the compression.

And also, try configuring Installshield to sign by giving the certificate thumbprint directly in the "Digital Certificate Information" field under "signing" tab in the release view.

Thanks and I think we have it working now.

I'm a little concerned in the future though.... I know EV Code signing is really pushing to do it manually and not automated for security purposes.  I know they have clamped down on this more and more (moving to dongle from pfx file, not allowing rdp for signing etc)  In the past what we did was sign the generated exe after installshield compile time.

This worked in that the smart screen filter etc passed and the exe was signed.  The problem we run into now is the setup.exe that installshield unpacks into the C:\Program Files (x86)\InstallShield Installation Information folder that gets called during uninstall or upgrades will not be signed unless done through installshield at compile time.

Just curious to see in the future if they make EV code signing more and more difficult to automate, what will happen if can't sign that setup.exe?

For now we are good though!  Thanks for the help.

 

0 Kudos

Honestly - I truly hate it when someone posts a problem, no one provides a useful answer, then the OP closes it off with "I got it working" and never tells people how they did it!  If you are going to use a forum for help - then you need to provide help when you can.  This post should be deleted.  It's just noise on the internet.

0 Kudos
We got it working via banna_k response....we have since moved to wix
0 Kudos

Unfortunately precompression events are only available in the premier edition, not professional.  Premier costs about 1/2 a new car so that won't be happening (very small business).   I see "Digital Certificate Information" is available so may look into that. 

The whole digital certificate thing seems like a real can of worms that could benefit from some examples/tutorials.  Because of the change to requiring a secure hardware key it seems very complicated.

0 Kudos
afogiel
Level 3

You can very easily sign the final exe using command line.  The problem comes when you need to sign exe's within the install package.  Which again you could have multiple steps and manually do or have some scripts then make the final installer.

We moved to wix both because of cost but also licensing so we could scale easier with VM build machines.  It was a bit of a learning curve though.

0 Kudos

InstallShield 2023R2 supports lot more option to sign the setups/payloads, like sign using custom scripts/utilities, EV signing and prepare files events. 

New Features in R2 (revenera.com)

0 Kudos