Signing installer MSIs with a code signing certificate prevents Windows from showing a big red “This application is untrusted!” warning when an installer is launched.
I recently had to set up code signing with a certificate we got from GoDaddy and it’s a little convoluted so I’ll document it here.
Creating and using a code signing certificate involves three passwords which we’ll call
Getting a Code Signing Certificate
We get our code signing certificates from GoDaddy.
Generating a Certificate Request
For this we’ll need our REQUEST_PASSWORD.
Following the instructions here we’ll end up with the files
The pfx file has our private key embedded in it. These files need to be submitted to GoDaddy.
When the request is processed, GoDaddy will send us certificate files. These are randomly named, something like:
Extract the Private Key from the Certificate Request
We need the private key in the certificate request as a
.key file. To do this we need to install OpenSSL. It can be installed as part of cygwin.
Generate the key via (where $ is the cygwin bash prompt):
$ openssl pkcs12 -in request.pfx -nocerts -out request.key.pem -nodes Enter Import Password: REQUEST_PASSWORD
The key will be in
Create a PVK File
Next we need to create a PVK file. For this we need
PS C:\tmp\ssl> .\pvk.exe -in .\request.key.pem -topvk -strong -out cert.key.pvk Enter Password: EXPORT_PASSWORD Verifying - Enter Password: EXPORT_PASSWORD
Combined the PVK and SPC into a PFX
Installers are signed with a PFX file which is a combination of the key and certificate. For this we need
pvk2pfx.exe -pvk cert.key.pvk -pi EXPORT_PASSWORD -spc SOMERANDOM-SHA2.spc -pfx codesign.pfx -po SIGNING_PASSWORD -f
codesign.pfx. This, along with SIGNING_PASSWORD is what we need to sign the MSI. When the code signing certificate expires we’ll need to repeat the steps above.
Signing the Installer
Once we have the PFX and the signing password, we can sign the installer. For this we need
The command to sign the installer is:
.\signtool.exe sign /f .\codesign.pfx /p SIGNING_PASSWORD /d "(some description)" /tr http://timestamp.digicert.com /v "PATH_TO_MSI"
There are other timeservers you can use.
It’s not clear where you get SPC file.
They come from the certificate vendor. “When the request is processed, GoDaddy will send us certificate files”.
Thank You so much for this tutorial!