Digitally Signing a Release and Its Files at Build Time

InstallShield 2024 Express Edition

InstallShield lets you configure digital signing settings for a release. At build time, InstallShield uses the settings that you have configured to sign your installation package, your Setup.exe file, and any other files in your release that meet the criteria that you have defined.

To configure digital signing for your release and its files:

In the View List under Prepare for Release, click Releases.

In the Builds explorer, click the release that you want to sign.

Click the Signing tab.

Configure the following settings as appropriate:

•

Signing Type—Specify the method to digitally sign the build-generated files. Selecting the Custom option enables the Path and Arguments settings.

•

Path—Specify the sign tool's location to use that sign tool. To specify sign tool's location, click the ellipsis button (...) in this setting.

•

Arguments—Specify the argument for a sign tool’s configuration.

•

Certificate URL—Type a fully qualified URL—for example, http://www.mydomain.com. This URL is used in your digital signature to link to a site that you would like end users to visit to learn more about your product, organization, or company.

•

Digital Certificate File—Click the ellipsis button (...) in this setting. The Certificate Selection dialog box opens, enabling you to specify either the location of the .pfx file, certificate file (EV exported .cer file), or information about the certificate store that contains the certificate.

•

Certificate Password—Note that if you configure your project to use a certificate that was imported with password protection into a store, Windows prompts for the password at build time when InstallShield is attempting to sign your project’s files. The strong key protection that Windows uses does not permit InstallShield to provide the password to the cryptographic provider.

•

Sign Output Files—Specify which files (Setup.exe, the .msi package, both of those files, or neither of those files) you want to be signed.

•

Use 64-Bit Signing—Specify whether you want to use the 64-bit signing framework to digitally sign your package.

•

Signature Description—Specify the signature description that you want to use for files that are specified in the Sign Output Files setting.

•

Sign Files in Package—Specify whether you want to digitally sign all additional files, including InstallShield support files (English, language-independent, and advanced files) configured in the Support Files view, which are used only during the installation process.

If you select Yes, use the other settings under the Sign Files in Package setting to indicate which files and file patterns should be signed and which should not be signed.

Note:Files and file patterns that should not be signed override any files and file patterns that should be signed. For example, if you specify *.exe in an Include setting and in an Exclude setting, InstallShield does not sign any .exe files.

Tip:For detailed information about any of the settings on the Signing tab, see Signing Tab.

At build time, InstallShield signs the files as specified on the Signing tab. If the release is for an installation that includes merge modules, note that the files are signed before the merge module is merged.