InstallShield Signing

InstallShield can be used to sign an MSIClosedMicrosoft Installer - file used to install an application on Windows. file with a key stored in CORE.

Requirements

Interoperability is supported on InstallShield 2016 Professional Edition .

The certificate must then be synced with the Windows Keystore. To sync the certificate, see Sync Windows Keystore and Partition Certificates.

Sign an MSI file with InstallShield Using a CORE Key

Use the following process to sign an MSIClosedMicrosoft Installer - file used to install an application on Windows. file with a key stored in CORE.

Step 1: Configure InstallShield to use the certificate.

  1. In InstallShield, click on Media.
  2. Click on Releases.
  3. Select the appropriate release.
  4. Click on the Signing tab.
  5. Click on the field next to Digital Certificate Information.
  6. Click on the More button (...) on the right side of the field.
  7. Select Use a certificate store.
  8. Set Certificate Store Name to Personal.
  9. Set Certificate Store Location to User.
  10. Set Certificate Subject to the common name of the certificate that was imported.
  11. Set Signature Digest to your desired value.
  12. Click OK.

Note
You must have the full certificate chain in the personal user store (including CA).

Step 2: Build the MSIClosedMicrosoft Installer - file used to install an application on Windows. and observe that the output file is signed.

  1. Right-click on file, then select Properties.
  2. Click on the Digital Signatures tab.
  3. Observe the signing information.

You can also view the CORE log, which shows a call to KSP during the MSIClosedMicrosoft Installer - file used to install an application on Windows. build operation used to sign the installer.

Note
InstallShield can also be run from the command line. For example, the following command creates a signed executable:
IsCmdBuild.exe -p {installer ism filename}

Sign an MSI file with InstallShield Premier Using a CORE Key

If you have InstallShield 2016 Premier Edition, you can use the following procedure to sign an MSIClosedMicrosoft Installer - file used to install an application on Windows. file.

  • Under Path Variables add the following values:
    • SignToolFolder - path to signtool.exe.
    • CertificateThumbprint - the certificate thumbprint extracted in step 1.
  • Under Releases, choose the relevant release.
  • Click on the Events tab.
  • In Precompression Event enter the following command. Replace Test.msi and the path with relevant information for your MSIClosedMicrosoft Installer - file used to install an application on Windows. file.

    cmd /c "<SignToolFolder>\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 <CertificateThumbprint> \PATH\TO\MSI\Test.msi

  • In Postbuild Event enter the following command. Replace setup.exe and the path with the relevant information.

    cmd /c "<SignToolFolder>\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 <CertificateThumbprint> \PATH\TO\EXE\setup.exe