Digital Signing and Security

InstallShield 2022

Project:This information applies to the following project types:

Advanced UI
Basic MSI
InstallScript
InstallScript MSI
InstallScript Object
Merge Module
Suite/Advanced UI

You can digitally sign your installation and your application files to assure end users that neither your installation nor the code within your application has been tampered with or altered since publication.

The Signing tab is where you specify the digital signature information—including the digital certificate files that a certification authority grated to you—that InstallShield should use to sign your files.

The Signing tab is also where you specify which files in your installation should be digitally signed by InstallShield at build time. InstallShield enables you to sign any and all of the following files in a release, depending on what type of project you are using:

Windows Installer package (.msi file) for Basic MSI and InstallScript MSI projects
Merge module package (.msm file) for Merge Module projects
Setup.exe file for Advanced UI, Basic MSI, InstallScript, InstallScript MSI, and Suite/Advanced UI projects
Media header file for InstallScript projects
Any files in your release, including your application files

To learn more about the various settings on the Signing tab, see Signing Tab for a Release.

Certification Authorities

A certification authority is an organization such as VeriSign that issues and manages digital certificates (also known as digital IDs). The certification authority validates the requester’s identity according to prescribed criteria and issues a digital certificate. Obtaining a digital certificate requires providing the certificate authority with specific information about your company and your product.

For a list of certification authorities, see the Windows Root Certificate Program member list on the MSDN Web site.

SHA-1 vs. SHA-256 Certificates

InstallShield enables you to use digital certificates that use the SHA-256 or SHA-1 hashing algorithm for signing your installations and files at build time.

SHA-256 is favored over SHA-1, which is being deprecated because of the potential for security vulnerabilities. Microsoft announced that Windows will stop trusting items that were signed and timestamped with SHA-1 certificates after January 1, 2016. In addition, certification authorities—the organizations that issue certificates—are phasing out the creation of SHA-1 certificates. Thus, it is recommended that you replace any SHA-1 certificates in your InstallShield projects with SHA-256 certificates. For the latest information and more specific details, check with your certification authority.

If your project is configured to sign with a SHA-256 certificate, InstallShield uses a SHA-256 hash in the signature of the files that it signs at build time. If your project is configured to sign with a SHA-1 certificate, InstallShield uses a SHA-1 hash. Note that use of a SHA-1 certificate triggers build warning -7346 to alert you about the SHA-1 usage.

Beginning with InstallShield 2016, support for SHA-256 digital certificates for Windows Installer and InstallScript projects was enhanced to:

Give you the ability to specify a digest type
Allow you to specify a SHA-256 timestamp server in settings.xml
Handle similarly-named certificates in the Certificate Store

Important:Any new signatures created or timestamped after Jan 1, 2016 must be SHA-256-based signatures. Any files signed with an SHA-1 certificate need to have a timestamp showing a date and time prior to Jan 1, 2016 in order to continue to be supported. Those files will still be allowed through the 'Mark-of-the-web" system until Jan 14, 2020, when all SHA-1 support will stop in all current versions of Windows.

Using Certificate Files or Certificates in Certificate Stores to Generate a Digital Signature

When you are specifying the digital signature information that you want to use for signing your files and installations, InstallShield lets you choose between the following options:

You can specify the .pfx certificate file on your machine that you want to use.
You can reference a certificate store that contains the certificate that you want to use.

Option 1—.pfx File

You can use a personal information exchange file (.pfx) to digitally sign your installation and your application. The following tools enable you to create a .pfx file from a .pvk file and .spc file:

PVK2PFX.exe—This is part of the Windows Platform SDK, and it is also included with Microsoft Visual Studio 2005.
pvkimprt.exe—You can download this PVK Digital Certificate Files Importer tool from the downloads area on the Microsoft Web site (http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN).

The .pfx file is typically associated with a password.

Option 2—A Certificate in a Certificate Store

If you store your digital certificate in a certificate store, you can reference in your project the certificate store that contains the certificate that you want to use. If you use this method for signing, you will need to specify information such as the store name (Personal, Trusted Root Certification Authorities, Enterprise Trust, Intermediate Certification Authorities), the store location (user or machine), and the subject that identifies the specific certificate that you want to use.

If you configure your project to use a certificate that was imported with password protection into a store, Windows prompts for the password at build time when InstallShield is attempting to sign your project’s files. The strong key protection that Windows uses does not permit InstallShield to provide the password to the cryptographic provider.

Adding a Timestamp to Digital Signatures

When you specify digital signature information for a release, InstallShield timestamps the digital signature at build time by default. A digital certificate’s timestamp indicates the day and time when a file was signed; it also helps to prove that the certificate was not expired at the moment of signing. A timestamp from a trusted timestamp server typically extends the life of the digital signature beyond the certificate’s validity period, protecting against certificate expiration.

To learn how to change the default timestamp server that InstallShield uses, or for information on how to disable timestamping, see Changing the Timestamp Server for Digital Signatures.

See Also