Introduction

The Microsoft Authenticode* standard provides tools to help developers sign and verify .MSI applications. This article provides instructions on how to sign applications and verify them using a .pfx file, which is a PKCS12 standard certificate file.

Before starting this tutorial, you MUST have a valid certificate file. If this has not been done, please take a look at this tutorial:
http://appdeveloper.intel.com/en-us/article/how-do-i-get-code-signing-ce...

System Requirements

1. Windows XP or Windows 7
2. Windows SDK (.NET framework 3.5 or 4.0 preferred)

Install SDK tools

You will require "Signtool" to sign your application with the code signing certificate and verify it. It is provided as a part of the Windows SDK. If you do not already have the SDK installed, you can get the latest version from the Microsoft website: http://msdn.microsoft.com/en-us/windows/bb980924

If you have a certificate in a different format, e.g, SPC/PVK, you will need additional tools to convert the certificate to .pfx format. The Authenticode supported tools are listed at: http://msdn.microsoft.com/en-us/library/ms537364(v=vs.85).aspx together with examples.

You can check for the installed tools in the path: c:\Program Files\Microsoft SDKs\Windows\v7.1\bin. Please note that depending on the .NET framework you have installed, the version number in the path will be different. For example, v7.1 is .NET framework 4, v6.0a is .NET framework 3.5 etc. Signtool is supported by .NET framework 2.0 and above.

Signing the application:

When you are ready to sign your application, from the Signtool install directory, issue the below command:
c:\Program Files\Microsoft SDKs\Windows\v7.1\bin>signtool sign /v /f Certificate_Path\Certificate.pfx /p Certificate_Password c:\MSI_Path\application.MSI
The output will be as shown in the below image:

Verifying the signed application:

Follow the below steps to verify the signature on the application:

1. The Signtool command by default checks for Certificate Revocation Lists (CRLs) while verifying a signature. If you wish to disable CRL checks, issue the below command:
   1. c:\Program Files\Microsoft SDKs\Windows\v7.1\bin>setreg 3 FALSE
2. Verify the signature with the below command:
   1. c:\Program Files\Microsoft SDKs\Windows\v7.1\bin> signtool verify /v /pa c:\MSI_Path\application.MSI

You will see that the developer certificate is chained to a root certificate of the issuing CA. The validity period on your development certificate can be seen in the “Expires:” field of the developer certificate, which in this case is 4/25/2012 4:59:59 PM.

Now that your application has been signed by an approved CA, you are ready to upload your signed application to the Intel AppUp(SM) developer program.

You can also view this video which demonstrates signing MSI files: http://appdeveloper.intel.com/en-us/video/signing-msi-file-video-tutorial

There was an app signing tool that has been released for MSI: http://appdeveloper.intel.com/en-us/article/app-signing-tool-download