Signing Tab

InstallShield 2024 Express Edition » Releases View » Release

The Signing tab is where you specify the digital signature information—including the digital certificate files that a certification authority grated to you—that InstallShield should use to sign your files. It is also where you specify which files in your installation should be digitally signed at build time.

Settings on the Signing Tab

Setting

Media Type

Description

Signing Type

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify the method to digitally sign build-generated files. Specify the argument for a sign tool’s configuration:

•

Standard—Select this option to use the default InstallShield Express Edition sign tool to digitally sign build-generated files.

•

Custom—Select this option to use a customized sign tool to digitally sign build-generated files. Selecting this option enables the Path and Arguments settings.

Note:By default, this setting is set to Standard.

Path

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify the sign tool's location to digitally sign build-generated files by using that sign tool. To specify sign tool's location, click the ellipsis button (...) in this setting.

Arguments

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify the command-line argument for a sign tool’s configuration to digitally sign build-generated files. For example, command-line argument below can be used if the Microsoft built-in signing tool is configured as a custom option to sign the binaries:

sign /fd SHA256 /f "<ProgramFilesFolder>\testCA.pfx" /t http://timestamp.digicert.com /p MyPassword [filename]

The [filename] variable is a place holder for full file path to be signed. It resolves to full path of the binary file to be signed during build time. By default, a file path will be added at the end of an argument and passed to a custom sign tool. Instead of using a hard-coded path, you can use the path variables, environment variables, or property names that are defined in your project.

Note:To utilize a property name in the Arguments setting, it must be specified within square brackets ([]).

Certificate URL

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Type a fully qualified URL—for example, http://www.mydomain.com. This URL is used in your digital signature to link to a site that you would like end users to visit to learn more about your product, organization, or company.

Digital Certificate Information

Custom, CD-ROM, DVD, SingleImage, WebDeployment

To specify the digital certificate that you want to use to sign your release, click the ellipsis button (...) in this setting. The Certificate Selection dialog box opens, enabling you to specify either the location of the .pfx file, certificate file (EV exported .cer file), or information about the certificate store that contains the certificate.

InstallShield provides an option to encrypt and store an EV token password in the project file using the public key certificate (.cer) file. The .cer file is generally created by exporting a public key from the EV Authentication Client tools associated with a USB eToken provider (for example, SafeNet Authentication Client). InstallShield displays additional options to configure the Extended Validation (EV) certificate properties if the .cer file is specified. For more details, see

•

Configuring EV Digital Certificate Information in InstallShield

•

Certificate Selection Dialog Box

After specifying the .pfx file or choosing the certificate from test store, the below will be displayed:

•

Certificate Thumbprint—This read-only setting displays the certificate thumbprint.

•

Issued By—This read-only setting displays the certificate issuer information.

•

Expiration Date—This read-only setting displays the certificate’s expiration date.

After specifying the certificate file (EV exported .cer file), the below settings will be displayed:

•

Cryptographic Provider—This setting allows you to specify the cryptographic service provider (CSP).

•

Container Name—This setting allows you to specify the private key container name associated to the cryptographic service provider (CSP).

•

Token Password—This setting allows you to specify the EV token password which is encrypted and stored in a project file.

Note:Note the following informations while utilizing the settings that appear after specifying the certificate file (EV exported .cer file):

•

Both the Cryptographic Service Provider (CSP) name and Container name can be obtained from the Private Key Certificate properties of a user certificate in the EV Vendor Authentication Client tool.

•

An EV certificate vendor determines an EV token password's expiration period and number of invalid password attempts before it is locked. Therefore, selecting this setting requires changing your password in specific intervals.

(Continued)

•

If an EV token password is locked, unlocking/resetting the token password requires an administrator password.

Certificate Password

Custom, CD-ROM, DVD, SingleImage, WebDeployment

If the .pfx file that you are using has a password, enter it. InstallShield encrypts the password and stores it in your project file (.ise).

At build time, InstallShield uses the password to sign files with a .pfx file. If your certificate is protected by a password but you do not enter it in this setting, signing with a .pfx file fails.

Note that if you configure your project to use a certificate that was imported with password protection into a store, Windows prompts for the password at build time when InstallShield is attempting to sign your project’s files. The strong key protection that Windows uses does not permit InstallShield to provide the password to the cryptographic provider.

Sign Output Files

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify which files you want to be signed. Available options are:

•

None—To avoid signing your installation, select this option.

•

Setup.exe—To sign your Setup.exe file, select this option.

•

Setup.exe and Windows Installer Package—To sign your Setup.exe file and your Windows Installer package (.msi), select this option.

•

Windows Installer Package—To sign your Windows Installer package (.msi), select this option.

Use 64-Bit Signing

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify whether you want to use the 64-bit signing framework to digitally sign your package. Available options are:

•

Yes—Enables the 64-bit signing framework to digitally sign a package.

•

No—Enables the 32-bit signing framework to digitally sign a package.

By default, this setting is set to No.

Signature Description

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify the signature description that you want to use for files that are specified in the Sign Output Files setting. The description that you specify is displayed on the User Account Control (UAC) box to the right of the “Program Name:” label. The UAC dialog box opens when an end user launches the signed file and elevated privileges are required.

If you leave this setting blank, InstallShield uses the name of the file without its extension as the description to the right of the “Program Name:” label on the UAC dialog box. Note that if you use the Sign Files in Package setting and its subsettings to sign the files in your package, InstallShield does not use this signature description for the UAC dialog box of the files in your package that are signed at build time.

Sign Files in Package

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify whether you want to digitally sign all the files, including InstallShield support files (English, language-independent, and advanced files) configured in the Support Files view, which are used only during the installation process.

If you select Yes, use the Include Patterns and Files and Exclude Patterns and Files settings to indicate which files should be signed.

Windows Logo Guideline:All executable files (including .exe, .dll, .ocx, .sys, .cpl, .drv, and .scr files) in an installation must be digitally signed for the Windows logo program.

Sign Files That Are Already Signed

Custom, CD-ROM, DVD, SingleImage, WebDeployment

If any of the files in your project are already digitally signed, determine whether you want InstallShield to replace those existing digital signatures with the digital signature that you specify on the Signing tab. Note that this affects only files that meet the requirements that are specified in the Include Patterns and Files setting and the Exclude Patterns and Files setting.

•

To use the digital signature information that you are providing on the Signing tab to sign a file instead of any existing digital signature information that is already included with the file, select Yes.

•

To leave the existing digital signature information intact for any files that are already signed, select No.

The default value is No.

Sign Files in Their Original Location

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Determine whether you want InstallShield to sign your original files or just the files that are built into the release:

•

If you want InstallShield to sign a temporary copy of each file and then use that signed temporary copy to build a release, select No. Note that if you select No, InstallShield will not modify or sign your original files.

•

If you want InstallShield to sign your original files, select Yes.

The default value is No.

Include Patterns and Files

Custom, CD-ROM, DVD, SingleImage, WebDeployment

To specify the files and file patterns that you want to be digitally signed at build time, do one of the following:

•

To select one or more file names or file patterns from a list of all of the static files that are currently in your project, as well as file patterns such as *.dll, click the ellipsis button (...) in this setting. The Browse for file dialog box opens, enabling you to select one or more patterns and files. When you are done selecting items, InstallShield adds one or more new Include settings under the Include Patterns and Files setting.

•

To type a file name or pattern manually, click the Add button in this setting. InstallShield adds a new Include setting under the Include Patterns and Files setting; use this new setting to specify the file name or pattern.

Include

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify the file or file pattern that you want to be digitally signed at build time. Note the following guidelines:

•

To indicate a wild-card character, use an asterisk (*).

For example, if you want to sign all .exe files, specify the following: *.exe

Using wild-card characters is especially helpful if you include dynamically linked files in your project and you want to sign all files that match a certain pattern.

•

Note that the files and file patterns that should not be signed override any files and file patterns that should be signed. For example, if you specify *.exe in an Include setting and in an Exclude setting, InstallShield does not sign any .exe files.

To delete the file or file pattern, click the Delete button in this setting.

To add another file or file pattern, use the Include Patterns and Files setting.

Exclude Patterns and Files

Custom, CD-ROM, DVD, SingleImage, WebDeployment

To specify the files and file patterns that you do not want to be digitally signed at build time, do one of the following:

•

To select one or more file names or file patterns from a list of all of the static files that are currently in your project, as well as file patterns such as *.dll, click the ellipsis button (...) in this setting. The Browse for file dialog box opens, enabling you to select one or more patterns and files. When you are done selecting items, InstallShield adds one or more new Exclude settings under the Exclude Patterns and Files setting.

•

To type a file name or pattern manually, click the Add button in this setting. InstallShield adds a new Exclude setting under the Exclude Patterns and Files setting; use this new setting to specify the file name or pattern.

Exclude

Custom, CD-ROM, DVD, SingleImage, WebDeployment

Specify the file or file pattern that you do not want to be digitally signed at build time. Note the following guidelines:

•

To indicate a wild-card character, use an asterisk (*).

For example, if you do not want to sign any .drv files, specify the following: *.drv

Using wild-card characters is especially helpful if you include dynamically linked files in your project and you want to avoid signing all files that match a certain pattern.

•

To delete the file or file pattern, click the Delete button in this setting.

To add another file or file pattern, use the Exclude Patterns and Files setting.