Digitally Signing Windows-Based Installers

InstallAnywhere 2022

InstallAnywhere includes support for digitally signing your Windows-based installers (the installer .exe file, as well as the installer launcher and the uninstaller launcher) at build time. Digitally signing your Windows-based installers assures end users that your installers have not been tampered with or altered since release. End users are presented with a digital certificate when they run your installers.

If you have not digitally signed an installer, end users see an unknown publisher warning when they launch your installer on Windows XP SP2 and later.

The ability to digitally sign Windows-based installers at build time requires a personal information exchange file (.pfx) type of digital certificate. In addition, it requires that you are using InstallAnywhere on a Windows-based system. If you try to build a Windows-based installer on a non-Windows system, InstallAnywhere does not sign the resulting installer.

Tip:If the certificate authority that issued you a digital certificate provided you with a private key file (.pvk) and a software publishing credentials file (.spc) instead of a .pfx file, you can use PVK2PFX.exe to create a .pfx file from the files that were provided to you. PVK2PFX.exe is part of the Microsoft Windows Platform SDK.

Certification Authorities

A certification authority is an organization such as VeriSign that issues and manages digital certificates (also known as digital IDs). The certification authority validates the requester’s identity according to prescribed criteria and issues a digital certificate. Obtaining a digital certificate requires providing the certificate authority with specific information about your company and your product.

For a list of certification authorities, see the Windows Root Certificate Program member list on the MSDN Web site.

SHA-1 vs. SHA-2 Certificates

InstallAnywhere enables you to use digital certificates that use the SHA-256 or SHA-1 hashing algorithm for signing your installations and files at build time.

SHA-2 is favored over SHA-1, which is being deprecated because of the potential for security vulnerabilities. Microsoft announced that Windows will stop trusting items that were signed and timestamped with SHA-1 certificates after January 1, 2016. In addition, certification authorities—the organizations that issue certificates—are phasing out the creation of SHA-1 certificates. Thus, it is recommended that you replace any SHA-1 certificates in your InstallAnywhere projects with SHA-2 certificates. For the latest information and more specific details, check with your certification authority.

If your project is configured to sign with a SHA-2 certificate, InstallAnywhere uses a SHA-2 hash in the signature of the files that it signs at build time. If your project is configured to sign with a SHA-1 certificate, InstallAnywhere generates a build error: either 813 (a SHA-1 certificate is configured in the project) or 814 (a SHA-1 certificate is configured in the project and a timestamp server is not being used for signing).