Introduction
The Microsoft Authenticode* standard provides tools to help developers sign and verify .MSI and .EXE applications. This article provides instructions on how to sign applications and verify them using a .pfx file, which is a PKCS12 standard certificate file. Before starting this tutorial, you MUST have a valid certificate file. If this has not been done, please take a look at this tutorial: http://software.intel.com/en-us/articles/how-do-i-get-code-signing-certificate-certifying-authority
If your code signing certificate has already expired, you can optionally renew your certificate and resubmit your application for validation. For more information on code signing certificate renewal, see: Maintaining Valid Certificates
Adobe AIR applications are now required to sign the MSI as well and can follow the same instructions as MSI/EXE files for signing and timestamping of the MSI. The code signing process detailed in this article will be in addition to signing the AIR file which is required for correct functioning of your AIR application.
System Requirements
- Windows* XP or Windows* 7
- Windows* SDK (.NET* framework 3.5 or 4.0 preferred)
Install SDK tools
You will require "Signtool" to sign your application with the code signing certificate and verify it. It is provided as a part of the Windows* SDK. If you do not already have the SDK installed, you can get the latest version from the Microsoft website: http://msdn.microsoft.com/en-us/windows/bb980924 If you have a certificate in a different format, e.g, SPC/PVK, you will need additional tools to convert the certificate to .pfx format. The Authenticode supported tools are listed at: http://msdn.microsoft.com/en-us/library/ms537364(v=vs.85).aspx together with examples. You can check for the installed tools in the path: c:\Program Files\Microsoft SDKs\Windows\v7.1\bin. Please note that depending on the .NET framework you have installed, the version number in the path will be different. For example, v7.1 is .NET framework 4, v6.0a is .NET framework 3.5 etc. Signtool is supported by .NET framework 2.0 and above.
Signing the application:
When you are ready to sign your application, from the Signtool install directory, issue the below command: c:\Program Files\Microsoft SDKs\Windows\v7.1\bin>signtool sign /v /f Certificate_Path\Certificate.pfx /p Certificate_Password c:\MSI_Path\application.MSI The output will be as shown in the below image: 
Verifying the signed application:
Follow the below steps to verify the signature on the application:
- The Signtool command by default checks for Certificate Revocation Lists (CRLs) while verifying a signature. If you wish to disable CRL checks, issue the below command:
- c:\Program Files\Microsoft SDKs\Windows\v7.1\bin>setreg 3 FALSE
- Verify the signature with the below command:
- c:\Program Files\Microsoft SDKs\Windows\v7.1\bin> signtool verify /v /pa c:\MSI_Path\application.MSI
You will see that the developer certificate is chained to a root certificate of the issuing CA. The validity period on your development certificate can be seen in the “Expires:” field of the developer certificate, which in this case is 4/25/2012 4:59:59 PM.
In order to ensure that your signature remains valid even after the certificate has expired, it is strongly recommended to timestamp your signed application. The command to timestamp your signed application with a Comodo certificate is:
C:\signtool_install_Path>signtool timestamp /t “http://timestamp.comodoca.com/authenticode” Signed_MSI_Or_EXE_Path
Note that the URL for timestamping differs from one CA to the other and we encourage you to visit the certificate authority’s website for more information.
The code signing tool makes the process of signing and timestamping very simple: http://appdeveloper.intel.com/en-us/article/app-signing-tool-download
Now that your application has been signed by an approved CA, you are ready to upload your signed Intel AppUp® application to the Intel® Developer Zone portal. You can also view this video which demonstrates signing MSI files: http://software.intel.com/en-us/videos/signing-msi-file-video-tutorial There was an app signing tool that has been released for MSI: http://software.intel.com/en-us/articles/app-signing-tool-download
Comments
Thank you, the manual code signing instructions were very useful to me, since the app signing tool (MSITool.exe) did not work.
MSITool.exe produced a success message, however the msi-file remained unchanged. I noticed this detail after my application was rejected (again) with a missing code signature error.
Manual signing from the command line did the trick.
Also, I am wondering how important timestamping is. To timestamp your msi enter:
c:\User\x>signtool timestamp /t http://timestamp.comodoca.com/authenticode app_Installer.msi
Thank you, for Providing info On the manual code signing instructions .
Any Alternative method for signing msi packages, let me know soon.
Regards,
Rama Chandra,
Ravali Technologies.
Hi Ramachandra,
To sign your MSI files, you can either use the manual method provided in this article or use the MSI signing tool to sign your application.
Thanks
Hi Martin,
If you timestamp your application before the certificate expires, then your application will continue to show a valid signtature, even after the certificate has expired. Currently, timestamping is not mandatory, but it is advisable to timestamp your application.
How to use the automatic tool for signing the application?