When you download an installer from the internet you want to know it has not been tampered with. You want to know it really is from the publisher described.
As a component vendor I want to sign my own installers so all users of Krypton can have confidence in the downloads. This is especially important with Vista as it shows the signing information, or lack of, at the slightest opportunity.
Software Publishers Credentials
In order to sign an installer you a private key (extension .pvk) and a software publishers certificate ( extension .spc). Obviously signing system would not be very secure if just anybody could create their own software publishers credentials with whatever company name they like. So instead you need to get your credentials from an approved provider that will then perform some background checking. They check you really are the company you say you are and not just impersonating someone at Microsoft!
I used VeriSign to purchase my publisher credentials at a cost of $499.
I would recommend you start the process of getting your credentials before you need them as it can a few days to work your way through the process. In my case I had to get a legal notary to sign a document proving I was the person I said I was. This is a reasonable precaution when dealing with a small one man company, you might find the process quicker and easier if you work at a large corporation.
So once you have paid your money and proved your identity you end up with two files.
MyCompany.pvk
MyCompany.spc
Signing the Installer
If like me your are signing several installers and/or signing on a regular basis then you will want to automate it as part of your build process. In this case you want to use the SignTool utility to perform the actual signing of the installer .msi file. But you cannot provide your two files as parameters directly because SignTool only takes a personal information exchange file (extension .pfx) as input. As luck would have it there is a utility called pvk2pfx that takes our two input files and outputs a .pfx file.
So to sign your installer you need to perform the following two commands:-
Pvk2pfx
-f
-pi “password”
-pvk “MyCompany.pvk”
-spc “MyCompany.spc”
-pfx “MyCompany.pfx”
Signtool
sign
/p “password”
/f “MyCompany.pfx”
/d “Product Description”
/du “http://www.myCompany.com”
/t “http://timestamp.verisign.com/scripts/timstamp.dll”
/v “MyInstaller.msi”
In practice I put these into a batch file and then just pass to the batch file the password, product description and installer filename. All the other parameters will remain constant.
Now when the user downloads and then tries to run the installer you get some publisher information in the warning dialog.
You can examine the certificate information in more detail by right clicking the installer and looking at the digital signature tab.
