I have a problem driving me nuts. I have 15 projects I can sign fine, but number 16 worked until today. I tried using pvk and key file as well as pvx. Most strange is that when I select properties on my package.exe in IS2008 explorer (inst. designer/myproject/releases/disk images/package), it's digitally signed here - no problem. But in Windows Explorer, right clicking again etc. No trace of digitally signing. Of course, when installing, it says "not signed".
I've tried the usual reboot etc.
To clarify: The setup.exe in the package is signed correctly. But the package itself not.
Try using signtool with the verify option to check if it has been succesfully signed. If the file is a large one, even if signing succeeds, it does not show up in Windows
Note When signing an executable file that is larger than approximately 300 megabytes, you should use catalog signing with the MakeCat tool rather than use the SignTool tool. This is because, depending on available system resources, some applications may not be able to verify the binary signature of a large file. For more information, see KB article 922225.
Thanks a lot, you were right. Signtool confirms the certificate is ok, as does a check on VISTA. It's a laugh really. I'll have a look at makecat. In this case it would be nice if IS2008 supported use of makecat. Maybe it even does, but I couldn't find my way to it.
InstallShield does not currently have any builtin support for using MakeCat for digital signatures. It's certainly something worth exploring, although I don't know exactly where it would best apply, so I've filed a feature request as IOC-000063834. As a general suggestion, you might see the best results when building uncompressed releases. In such a build each file will generally either be below the 300MB threshold or not need signing; the files that do need to be signed, such as the MSI, CAB and/or EXE files, should remain relatively small.
In our case we build packages for download, so we need to sign the whole package. One workaround for us would be to make (a rather old) version of DirectX a prereq, instead of implementing. It's just annoying to differ this install from all the others.
Lots of compliments for the compressing done in IS2008, it's very efficient.
If I build an uncompressed release, I'd have to zip it or something else due to bandwith concerns, which would take me back to square one, or am I missing something here?
