InstallAnywhere 2017
InstallAnywhere includes support for digitally signing your Windows-based installers (the installer .exe file, as well as the installer launcher and the uninstaller launcher) at build time. Digitally signing your Windows-based installers assures end users that your installers have not been tampered with or altered since release. End users are presented with a digital certificate when they run your installers.
If you have not digitally signed an installer, end users see an unknown publisher warning when they launch your installer on Windows XP SP2 and later.
The ability to digitally sign Windows-based installers at build time requires a personal information exchange file (.pfx) type of digital certificate. In addition, it requires that you are using InstallAnywhere on a Windows-based system. If you try to build a Windows-based installer on a non-Windows system, InstallAnywhere does not sign the resulting installer.
Tip • If the certificate authority that issued you a digital certificate provided you with a private key file (.pvk) and a software publishing credentials file (.spc) instead of a .pfx file, you can use PVK2PFX.exe to create a .pfx file from the files that were provided to you. PVK2PFX.exe is part of the Microsoft Windows Platform SDK.
Certification Authorities
A certification authority is an organization such as VeriSign that issues and manages digital certificates (also known as digital IDs). The certification authority validates the requester’s identity according to prescribed criteria and issues a digital certificate. Obtaining a digital certificate requires providing the certificate authority with specific information about your company and your product.
For a list of certification authorities, see the Windows Root Certificate Program member list on the MSDN Web site.
SHA-1 vs. SHA-2 Certificates
InstallAnywhere enables you to use digital certificates that use the SHA-256 or SHA-1 hashing algorithm for signing your installations and files at build time.
SHA-2 is favored over SHA-1, which is being deprecated because of the potential for security vulnerabilities. Microsoft announced that Windows will stop trusting items that were signed and timestamped with SHA-1 certificates after January 1, 2016. In addition, certification authorities—the organizations that issue certificates—are phasing out the creation of SHA-1 certificates. Thus, it is recommended that you replace any SHA-1 certificates in your InstallAnywhere projects with SHA-2 certificates. For the latest information and more specific details, check with your certification authority.
If your project is configured to sign with a SHA-2 certificate, InstallAnywhere uses a SHA-2 hash in the signature of the files that it signs at build time. If your project is configured to sign with a SHA-1 certificate, InstallAnywhere generates a build error: either 813 (a SHA-1 certificate is configured in the project) or 814 (a SHA-1 certificate is configured in the project and a timestamp server is not being used for signing).
To specify digital signature information for your Windows-based installers:
| 1. | In the Advanced Designer, on the Project page, click Platforms. The Platforms view opens. |
| 2. | In the Windows area, configure each of the Digital Signing settings as needed. |
As an alternative to specifying the actual certificate file, password, and timestamp server in the Platforms Settings view, you can use build-time variables in these settings (that is, enclose the name of each variable within at symbols: @VariableName@). You can set build-time variables in the Variables view on the Project page, through a .properties file, or through environment variables. To learn more, see Resolving Variables at Build Time.
See Also
InstallAnywhere 2017 Help LibraryNovember 2016 |
Copyright Information | Flexera Software |