A Step-by-Step Guide to Sign Digitally MSI Package, File, or Installer

Step-by-Step Guide to Digitally Signing MSI Package and Installers

Signing Windows Installer packages (MSI files) digitally enables users to verify the integrity and authenticity of the software publisher. Digital signatures allow users to be confident that the software they are installing has not been altered or corrupted since it was published. Digitally sign MSI package is important for software publishers who want to build trust with users. Signed installers help prevent malicious tampering and give users confidence in running your software.

Key Takeaways

What are the Benefits of Digitally Signing MSI Package

Here are some key benefits of digitally signing MSI packages:

Authentication of Publisher

Digital signatures allow users to verify that the MSI file is indeed published by your organization and not an impersonator. They prove your software’s authenticity.

Integrity Verification

Signatures also allow users to validate that the MSI file has not been corrupted or tampered with after you published it. The signature will become invalid if the file is altered.

Improved Reputation and Trust

Signing your installers indicates you care about your users’ security and builds trust. It improves your reputation as a professional software vendor.

Reduced Warning Prompts

Unsigned MSI files often produce warnings on modern Windows versions. Signing can help avoid scary warnings and improve user experience.

Compliance with Regulations

Some industry regulations require software to be digitally signed and validated before installation. Signing can help meet compliance needs.

Differentiation from Competition

Many smaller software vendors need to sign their MSI packages. Signing your installer can differentiate your professional, security-focused brand.

Blocking of Malware Installs

Signatures can help prevent trojaned installers from installing malware while pretending to be your software.

How Digital Signatures Work with MSI Packages

To understand how to sign MSI files, you first need to understand how digital signatures work at a high level.

Here is a quick overview of the digital signature process:

Obtain a Code Signing Certificate

First, you need to obtain a certificate from a trusted Certificate Authority like DigiCert or Sectigo. This validates your identity as the publisher.

Create a Signature Hash

A cryptographic hash of your file is generated using SHA-256 hash algorithm. This produces a unique string representing your file’s contents.

Encrypt the Hash with Private Key

The hash is encrypted with the private key from your code signing certificate. Only this private key can decrypt the hash string.

Append Signature to File

The encrypted hash string is appended to the end of the MSI file or embedded within it, completing the signature.

Users Verify with Public Key

Users decrypt your signature hash with the public key (available freely) and compare it to a freshly calculated hash of the MSI file contents. If they match, the integrity is verified.

This allows users to validate that the file’s contents match what was originally signed by your private key, proving authenticity.

How to Obtain a Code Signing Certificate

To digitally sign your MSI packages, you will need a code signing certificate from a trusted Certificate Authority (CA).

Here are some tips on obtaining one:

Choose a Reputable CA

Stick with major providers like DigiCert, Sectigo, GlobalSign, etc. Windows trusts certificates from mainstream CAs by default.

Pick Code Signing over SSL Certificates

You need a code signing certificate, not a standard SSL/TLS web server certificate. Make sure you are buying the right product.

Validate Your Identity

The CA will validate your identity and your company’s existence to issue a certificate. Be prepared to demonstrate you are an official representative of your software company.

Request the Right Certificate Type

For MSI signing, you likely need an organization validation (OV) code signing cert valid for software publishing.

Manage Private Keys Properly

The private key is critical for signing. Follow the CA’s instructions to securely generate, store, and use the private key associated with the certificate.

Renew Before Expiration

Code signing certificates expire after 1-3 years. To avoid signature issues, make sure you have a process for renewing code signing certificate before it expires.

Following the CA’s process to obtain a trusted, valid code signing certificate tailored for MSI signing ensures your digital signatures will validate properly.

How to Use SignTool to Sign MSI Packages

Microsoft’s SignTool is the standard utility used to digitally sign MSI files on the Windows platform.

Here is an overview of using SignTool to sign your MSI packages:

Acquire SignTool

SignTool is part of the free Windows SDK. Download and install the SDK on the build machine where you will sign your MSIs.

Create Signing Configuration File

Create a SignTool configuration file containing details like the certificate’s path and your desired digest algorithm.

Example:

/a sha256
/s my/cert/store
/n "My Company Name"
/fd sha256
/p7 .
/p7co 1.2.840.113549.1.7.1
/t http://timestamp.digicert.com

Run SignTool Command

Use the signtool sign command to sign your MSI file with the certificate and configuration details.

Example:

signtool sign /f myconfig.txt MyInstaller.msi

This will produce a signed MyInstaller.msi file ready for distribution.

Automate in Build Process

Add the SignTool steps to your build scripts to automate MSI signing on each new build. This ensures each shipped MSI is properly signed.

With a proper SignTool configuration, you can streamline MSI signing into your packaging process for simple, automated digital signatures.

How to Use WiX Tools to Sign MSI Packages

WiX is a popular MSI authoring toolset. WiX also provides integrated capabilities for digitally signing MSI package.

Here is an overview:

Install WiX Toolset

Download and install the WiX Toolset on your build machines. The WiX Toolkit Visual Studio plugin can help with integration.

Add Certificate Tag

In your WiX source code, add a <DigitalCertificate> tag pointing to your PFX certificate file to reference the signing certificate:

<DigitalCertificate SourceFile="MyCert.pfx" />

Pass Password to Light

When building the MSI using the Light tool, pass the PFX password via the CertPassword parameter:

Light.exe -out MyInstaller.msi -CertPassword mypassword source.wixobj

Sign MSI After Building

By default, WiX will produce an unsigned MSI. To sign it, pass the MSI back into Light using the MsiPackage element:

<MsiPackage SourceFile="MyInstaller.msi" DigitalCertificateDataFile="MyCert.pfx" DigitalCertificatePassword="mypassword" />

Now, your MSI will be signed automatically as part of the WiX build process.

WiX provides configurable MSI signing options natively within your WiX projects for streamlined build integration.

How to Integrate Signing into the Build Process

To get the full benefits of signed MSIs, you need to integrate the digital signature process into your installer-build scripts and workflows.

Here are some best practices:

Sign MSI After the Build

Add a post-build step to sign the MSI package right after it has been compiled or built. Avoid manually signing later.

Use the Same Certificate Everywhere

Ensure all your build/package servers utilize the same signing certificate to create consistent signatures.

Automate Validation Checks

Add logic to automatically verify that the signed MSI file contains a valid signature after signing completes. If the checks do not pass, the build will fail.

Isolate Signing Machine

To limit access to and attack the surface area for the signing key, perform the signing step on a dedicated, isolated build machine.

Back Up Certificate

Ensure you have adequate backups of the signing certificate’s private key in case you need to recover or recreate it on a new signing system.

Time Stamp MSI Signatures

Configure SignTool or your signing utility to add trusted timestamps from servers like DigiCert to signatures. This helps ensure validity even after certificate expiration.

Monitor Expiration Dates

Put calendar reminders in place to replace the signing certificate before it reaches expiration to avoid runtime errors.

Sign Uninstallers Too

For better security, also digitally sign any generated uninstallers associated with your signed MSI packages.

Provide Signature Verification

Distribute public keys or verification tools to help customers validate your MSI signatures themselves before installation.

Log All Signing Operations

Keep detailed logs of all signing and verification operations, including generated certificate hashes, and maintain these logs for auditing.

Carefully integrating signing into your end-to-end build and release management procedures ensures consistent security for your published MSI packages.

How to Verify Digitally Signed MSI Package

Once you have signed an MSI package, it is important to validate the signature before distribution. Here are some ways to verify signed MSI files:

Check File Properties

In File Explorer, right-click the MSI file and go to Properties > Digital Signatures. Verify details like the certificate issuer and valid timestamping.

Use SignTool

The signtool verify command can programmatically verify a file’s signature matches expectations. Useful for building scripts.

Look in Event Viewer

When installed, signed MSI files log verification details into Windows Event Viewer under “Windows Logs > Application.” Check for errors here.

Use SIGVERIF Tool

Microsoft’s free SigVerif GUI tool can open MSI files and display signature verification status in detail. Useful for debugging.

Install and Check Prompts

Attempt a test installation of the signed MSI on a clean VM. Watch for any signature-related errors or prompts during installation.

Scan with Antivirus Tools

Many antivirus products like Windows Defender can also validate third-party digital signatures on MSI files during scans.

Following these best practices helps confirm your signed MSIs’ authenticity and integrity are truly validated before release. Don’t skip verification!

What are the Troubleshooting Issues with Digitally Signed MSI Package

Despite best efforts, you may occasionally run into issues with invalid or missing digital signatures on some MSI packages.

Here is how to troubleshoot:

Check for Certificate Expiration

Expired certificates will invalidate existing signatures. Re-sign the MSI with a valid certificate or renew certificates before they expire.

Verify Certificate Trust Chain

Ensure the certificate authority chain is intact and trusted by checking certificate properties. Reset trust stores if needed.

Confirm Certificate Private Key

If re-signing fails, ensure the same original private key matches the public certificate, is being used, and has not been changed.

Look for Modified Installer

If users report signature verification failures, examine if the signed MSI file has been corrupted or modified since signing.

Retry Timestamping

Try re-signing with a different, valid timestamp server URL to rule out timestamp response issues.

Reinstall Signing Utilities

Corrupted SignTool installations or outdated WiX Toolset versions can cause signing failures. Reinstall a fresh copy.

Check Signing User Permissions

Any permission issues restricting access to certificates or MSI files during signing can lead to missing signatures.

Double check fundamentals like certificate validity, trusted CAs, and file integrity to resolve reported signature issues on your digitally signed MSI package.

Final Words

Digitally signing your MSI packages using certificates, SignTool, and timestamping allows users to trust your software by verifying authenticity and integrity.

Integrating signing into your build process, automated verification checks, and renewing expiring certificates helps ensure a seamless process for signed MSI distribution.

Following the best practices in this guide will help you successfully implement a code signing process for reliable security on your Windows Installer packages. Digitally signed MSIs build user trust in your software!

Frequently Asked Questions (FAQ) About Signing MSI Files

Here are answers to some common questions users have about digitally signing Windows Installer packages:

Do I need an EV or OV code signing certificate for MSI signing?

Most experts recommend an Organization Validation (OV) code signing certificate for signing MSI files. Extended Validation (EV) is not required.

What is the hash algorithm I should use to sign MSI packages?

Microsoft recommends the SHA-256 hash algorithm for signing MSI files rather than older algorithms like SHA-1.

How much do code signing certificates cost for MSI signing?

Code signing certificates typically cost $100 – $300 per year from most major certificate authorities. Look for discounts.

Can I sign an MSI file after it has been built?

Yes, you can sign an MSI file using SignTool after it has already been compiled. However, it’s best to integrate signing into your build process.

Does signing an MSI with WiX also time stamp the signature?

No, WiX does not timestamp signatures by default. You need to configure the signing utility or SignTool to add a trusted timestamp when signing explicitly.

What timestamp servers can I use for MSI signing?

Public timestamp authorities like https://freetsa.org provide free timestamp services for code signing.

How can I automate the verification of MSI package signatures?

Use the SignTool verify command in scripts or follow the MSI SDK to verify signatures on digitally signed MSI files programmatically.

Do I need to resign installer updates with the same certificate?

Yes, new versions of your installer should always be resigned with the original certificate; otherwise, users may see verification warnings.

Priya Mervana

Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.