- Revenera Community
- :
- InstallShield
- :
- InstallShield Knowledge Base
- :
- Configuring Extended Validation (EV) Certificate information in InstallShield
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
Configuring Extended Validation (EV) Certificate information in InstallShield
Configuring Extended Validation (EV) Certificate information in InstallShield
Introduction
Below are the different ways of configuring EV USB eToken based code signing in InstallShield. Note that you will need a SafeNet USB Token connected to a machine where InstallShield software is present. You are also required to install the associated eToken management software from a certificate vendor (example SafeNet Authentication Client).
Instructions
Choosing 'Use a certificate store' option.
Choose EV certificate entry from Personal -> User Certificate store. Please note that private key of EV certificate
is stored on a separate certified hardware modules like USB tokens or HSMs and it is protected using token password. You will be prompted for a token password during signing process when the certificate is accessed from the USB token. There is also an option called 'Enable single logon' setting that comes with EV client software tool (eg. SafeNet Authentication Client) which helps to limit user interventions per session with only one token password request.
Using Custom Signing Type option.
Use this option to select and configure a custom signing solution to digitally sign build-generated files. This helps to automate the scenarios where the Standard signing option is not suitable. This setting is helpful to override the InstallShield default signing flow with the custom signing solution. Choosing this option enables the additional fields where custom signing utility path and arguments can be configured. For example, you would be able to configure Microsoft Sign Tool from Windows SDK folder to take care of signing task.
Using Custom Signing option to execute batch file.
Configuring batch file settings in InstallShield Signing Tab:
Sample Signing.bat file contents. Use %1 variable as a place holder for the full file path to be signed.
Using Custom Signing option to execute VB script.
Configuring VB script in InstallShield Signing Tab:
Refer below sample VB script to retrieve the full file path to be signed.
Selecting exported public key certificate file (.cer file exported).
This option also provides possibility to encrypt and store EV token password in the project file.
- Open Authentication Client tool associated with USB eToken provider (eg. SafeNet Authentication Client)
- Find User certificate and click on Export file option as shown below picture. Save it as ev.cer file
- Go to Release => Signing Tab view in InstallShield and choose the previously exported .cer file as shown below
-
Configured the below required fields based on the private key properties of a user certificate in EV vendor software.
Private Key Properties: - Save and Build the project.
InstallShield encrypts and stores an EV token password in the project file. You will get a password prompt from EV vendor if Token Password is not configured.
Thank you for this great article! Can you please clarify if storing the correct EV token password in the Build project completely eliminates the need to enter the password? I would like to automate the installer build process as we’ve done in the past with a .pfx certificate. If I’m able to provide the certificate (.cer), Private Key Container Name, and Token Password, will an automated build service, like Jenkins, be able to sign files without human intervention? Let’s say I already have single logon enabled.
I was just successfully able to get this configured in InstallShield.
1) Exporting the cer from SafeNet
2) Setting Cryptographic Provider to 'eToken Base Cryptographic Provider'
3) Setting the Private Key Container Name to the value shown in SafeNet (Sectgo_xxxxxxx)
4) Setting the Token Password to the actual Token Password.
This eliminates the need for entering the EV Token Password and successfully signs my Output Files upon performing the InstallShield Build.