Background: I’ve created some windows apps (winforms with .Net 4 and a WinWord x64 Add-In). These are packaged up into .msi installers by Advanced Installer. I need to digitally sign them to allow installation with “Unknown Publisher”
- You can purchase certificates for hundreds of dollars (annually). Probably get an “Extended Validation” one. Usually these are applied to companies.
- Use a self-signed one is okay for internal-to-company use
- Don’t use
Make a certificate
Use PowerShell to do this. Cmdlets are built-in. Default is 12 months. It will be self-signed.
# Make one and put it in Certificate Store (i.e. not a file, it's somewhere in the user profile) New-SelfSignedCertificate -DnsName brettbeeson.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My -Subject "Brett Beeson" -NotAfter (Get-Date).AddMonths(24) # Look it up (i.e. get the thumbprint) Get-ChildItem -Path Cert:CurrentUser\MY # Check it Test-Certificate -Cert cert:\currentuser\my\XXXXXXXXXXXXXXXXXXXXXXXX -AllowUntrustedRoot
You also view certificates view Start>Run>
Optional: Add your self-signed certificate as a Trusted Published and/or Root CA.
This obviously is only active on the local machine.
# CA Import-Certificate -FilePath ./brettbeeson.cer -Cert Cert:\CurrentUser\Root # TP Import-Certificate -FilePath .\brettbeeson.cer -Cert Cert:\CurrentUser\TrustedPublisher
Export to a file
# Password necessary for certificate $CertPassword = ConvertTo-SecureString -String “XXXX” -Force –AsPlainText # Certificate with private key encrypted Export-PfxCertificate -Cert cert:\CurrentUser\77080EE8A3237AC0A6AA08B9DCC50B888B34709E -FilePath ./brettbeeson.pfx -Password $CertPassword # Certificate only Export-PfxCertificate -Cert cert:\CurrentUser\XXXXXXXXXXXX -FilePath ./brettbeeson.cer
Sign a file (Advanced Installer)
- Install signtool.exe and point AI to it. Download the SDK 10 and uncheck all options except Signtool. Then in AI>File>Settings>External Tools set signtool.exe. See details.
- Check AI->Digital Signatures>Enable Signing
- Use “file from disk” (my Personal Store option hangs) to select the .pfx you exported.
Sign a file (powershell)
- Looks like you can sign using signtool.exe or Set-AuthenticodeSignature
After making the MSI and AI signs it, you can right-click and see digital certificate info in the tab.