Digital Signature Tab

InstallShield 2024 » QuickPatch Project » General Information View » Build Settings

Project: This information applies to the QuickPatch project.

When you click Build Settings in the General Information view of a QuickPatch project, InstallShield displays several tabs. The Digital Signature tab is where you specify settings if you want to digitally sign your patch.

Note:With QuickPatch projects, you can digitally sign the patch package and the Update.exe file. If you want to digitally sign individual files—such as your application’s executable files—in your QuickPatch package, you must manually sign them and then add them to your project. You can use SignTool.exe, which is included with the Windows SDK, to manually sign your files.

Settings in the Digital Signature Tab

Setting

Description

Sign the Patch Package

To digitally sign your QuickPatch package, select this check box.

Sign Update Launcher

To digitally sign the Update.exe file, select this check box.

Use 64-bit Signing

To digitally sign your QuickPatch package by using only the 64-bit signing framework, select this check box.

Signing Type

Specify the method to digitally sign the patch package and Update.exe file. Specify the argument for a sign tool’s configuration:

•

Standard—Select this option to use the default InstallShield sign tool to digitally sign the patch package and Update.exe file.

•

Custom—Select this option to use a customized sign tool to digitally sign the patch package and Update.exe file. Selecting this option enables the Path and Arguments settings.

Note:By default, this setting is set to Standard.

Certificate URL

Type a fully qualified URL—for example, http://www.mydomain.com. This URL is used in your digital signature to link to a site that you would like end users to visit to learn more about your product, organization, or company.

Digital Certificate Information

To specify the digital certificate that you want to use to sign your release, click the Browse button next to this setting. The Certificate Selection dialog box opens, enabling you to specify either the location of the .pfx file, certificate file (EV exported .cer), or information about the certificate store that contains the certificate.

InstallShield provides an option to encrypt and store an EV token password in the project file using the public key certificate (.cer) file. The .cer file is generally created by exporting a public key from the EV Authentication Client tools associated with a USB eToken provider (for example, SafeNet Authentication Client). InstallShield displays additional options to configure the Extended Validation (EV) certificate properties if the .cer file is specified. For more details, see:

•

Configuring Extended Validation (EV) Digital Certificate Information in InstallShield

•

Certificate Selection Dialog Box.

After specifying the .pfx file or choosing the certificate from test store, the below will be displayed:

•

Certificate Thumbprint—This read-only setting displays the certificate thumbprint.

•

Issued By—This read-only setting displays the certificate issuer information.

•

Expiration Date—This read-only setting displays the certificate’s expiration date.

After specifying the certificate file (EV exported .cer file), the below settings will be displayed:

•

Cryptographic Provider—This setting allows you to specify the cryptographic service provider (CSP).

•

Container Name—This setting allows you to specify the private key container name associated to the cryptographic service provider (CSP).

•

Token Password—This setting allows you to specify the EV token password which is encrypted and stored in a project file.

Note:Consider the following informations while utilizing the settings that appear after specifying the certificate file (EV exported .cer file):

•

Both the Cryptographic Service Provider (CSP) name and Container name can be obtained from the Private Key Certificate properties of a user certificate in the EV Vendor Authentication Client tool.

•

An EV certificate vendor determines an EV token password's expiration period and number of invalid password attempts before it is locked. Therefore, selecting this setting requires changing your password in specific intervals.

•

If an EV token password is locked, unlocking/resetting the token password requires an administrator password.

Password

If the .pfx file that you are using has a password, enter it. InstallShield encrypts the password and stores it in your project file (.ism).

At build time, InstallShield uses the password to sign files with a .pfx file. If your certificate is protected by a password but you do not enter it in this setting, signing with a .pfx file fails.

Note that if you configure your project to use a certificate that was imported with password protection into a store, Windows prompts for the password at build time when InstallShield is attempting to sign your project’s files. The strong key protection that Windows uses does not permit InstallShield to provide the password to the cryptographic provider.

Path

Specify the sign tool's location to digitally sign the patch package and Update.exe file by using that sign tool. To specify sign tool's location, click the ellipsis button (...) in this setting.

Arguments

Specify the command-line argument for a sign tool’s configuration to digitally sign the patch package and Update.exe file. For example, command-line argument below can be used if the Microsoft built-in signing tool is configured as a custom option to sign the binaries:

sign /fd SHA256 /f "<ProgramFilesFolder>\testCA.pfx" /t http://timestamp.digicert.com /p MyPassword [filename]

The [filename] variable is a place holder for full file path to be signed. It resolves to full path of the binary file to be signed during build time. By default, a file path will be added at the end of an argument and passed to a custom sign tool. Instead of using a hard-coded path, you can utilize the path variables or environment variables that are defined within your project.

Signature Description

Specify the signature description that you want to use for the patch package and Update.exe file, if applicable. The description that you specify is displayed on the User Account Control (UAC) box to the right of the “Program Name:” label. The UAC dialog box opens when an end user launches the signed file and elevated privileges are required.

If you leave this setting blank, InstallShield uses the name of the file without its extension as the description to the right of the “Program Name:” label on the UAC dialog box.