This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring Extended Validation (EV) Certificate information in InstallShield

Configuring Extended Validation (EV) Certificate information in InstallShield

Introduction

Below are the different ways of configuring EV USB eToken based code signing in InstallShield. Note that you will need a SafeNet USB Token connected to a machine where InstallShield software is present. You are also required to install the associated eToken management software from a certificate vendor (example SafeNet Authentication Client).

Instructions

Choosing 'Use a certificate store' option.

Choose EV certificate entry from Personal -> User Certificate store. Please note that private key of EV certificate
is stored on a separate certified hardware modules like USB tokens or HSMs and it is protected using token password. You will be prompted for a token password during signing process when the certificate is accessed from the USB token. There is also an option called 'Enable single logon' setting that comes with EV client software tool (eg. SafeNet Authentication Client) which helps to limit user interventions per session with only one token password request. 

Using Custom Signing Type option.

Use this option to select and configure a custom signing solution to digitally sign build-generated files. This helps to automate the scenarios where the Standard signing option is not suitable. This setting is helpful to override the InstallShield default signing flow with the custom signing solution. Choosing this option enables the additional fields where custom signing utility path and arguments can be configured. For example, you would be able to configure Microsoft Sign Tool from Windows SDK folder to take care of signing task.


Using Custom Signing option to execute batch file.

 

Configuring batch file settings in InstallShield Signing Tab:
image.png


Sample Signing.bat file contents. Use %1 variable as a place holder for the full file path to be signed.
image.png


Using Custom Signing option to execute VB script.

Configuring VB script in InstallShield Signing Tab:
image.png

 

Refer below sample VB script to retrieve the full file path to be signed.image.png


Selecting exported public key certificate file (.cer file exported).

This option also provides possibility to encrypt and store EV token password in the project file.

  1. Open Authentication Client tool associated with USB eToken provider (eg. SafeNet Authentication Client)
  2. Find User certificate and click on Export file option as shown below picture. Save it as ev.cer file

    image.png
  3. Go to Release => Signing Tab view in InstallShield and choose the previously exported .cer file as shown below
     image.png

  4. Configured the below required fields based on the private key properties of a user certificate in EV vendor software.

    image.png

    Private Key Properties:
    image.png

  5. Save and Build the project. 

    InstallShield encrypts and stores an EV token password in the project file. You will get a password prompt from EV vendor if Token Password is not configured.

     
Labels (1)
Was this article helpful? Yes No
0 Kudos
No ratings
Comments
ChadHager
‎Apr 22, 2024 04:32 PM
‎Apr 22, 2024 04:32 PM

Thank you for this great article!  Can you please clarify if storing the correct EV token password in the Build project completely eliminates the need to enter the password?  I would like to automate the installer build process as we’ve done in the past with a .pfx certificate.  If I’m able to provide the certificate (.cer), Private Key Container Name, and Token Password, will an automated build service, like Jenkins, be able to sign files without human intervention?  Let’s say I already have single logon enabled.

greenace
‎May 22, 2024 05:37 PM
‎May 22, 2024 05:37 PM

I was just successfully able to get this configured in InstallShield. 

1) Exporting the cer from SafeNet
2) Setting Cryptographic Provider to 'eToken Base Cryptographic Provider'
3) Setting the Private Key Container Name to the value shown in SafeNet (Sectgo_xxxxxxx)
4) Setting the Token Password to the actual Token Password.

This eliminates the need for entering the EV Token Password and successfully signs my Output Files upon performing the InstallShield Build.  

Version history
Last update:
‎Jan 03, 2024 06:18 AM
Updated by:
Level 7 Flexeran
Contributors