How to Digitally Sign an MSI Package, MSI File, or Installer?

Digitally Sign MSI File, Package and Installers

What is an MSI?

An MSI (Windows Installer) is a file format and package type developed by Microsoft Windows for the management of software installation, maintenance and removal processes.

It has a .zip extension that contains all the needed files, resources, and metadata for the deployment on the Windows system. MSI files usually are used for including program executable files, libraries, settings, registry entries, and any other items used for the installation process.

They are engineered with the intention of creating a streamlined and unified procedure of installing applications for users which includes standardization and uniformity.

Steps to Digitally Sign an MSI Package, File, or Installer

Below are the steps to digitally sign an MSI Package, File or Installer:

Step 1: Obtain a Code Signing Certificate

A Code Signing Certificate is used for verifying the identity of the publisher and also ensures no alterations have been made to the initial file.

You can acquire a certificate from an authority or a trusted certificate provider, which can be DigiCert, Certera, Sectigo, or Comodo. These caterers provide different quotations, and you can select the one that is suitable for you.

Recommended: Buy Cheap Code Signing Certificate Starts at Just $199.99/Yr!

For testing and your use, you can use a self-signed certificate if you want. This certificate would be produced utilizing tools like PowerShell or OpenSSL for example.

And that apart if your self-signed certificate is not trusted by default on most systems, then you will have to install and trust it manually.

Step 2: Install the Certificate

Install the code signing certificate on your computer. This may involve importing the certificate into the Windows certificate store or installing the certificate on a USB token.

Step 3: Prepare Your MSI File

 Make a test of your MSI installer package to be able to be signed. The package comes up next, ensuring the stacking is executed properly and the tests are run through before the packaging.

Step 4: Use SignTool to Sign the MSI File

  • Open CMD with administrative privilege by clicking on the Start button and selecting Run.
  • Execute the `signing-tool` command to sign the MSI file with the private key of a developer certificate. Example command:
signtool sign /tr http://timestamp.digicert.com /td SHA256 /a "C:\Path\To\YourInstaller.msi"

– `/tr`: Demonstrate a timestamp server’s address which is utilized for timestamps.

– `/td`: First, locate the encryption hitch (SHA256 for this seed).

– `/fd`: Choose a procedure for computing the files’ SHA256 signature.

– `/a`: The system can in turn select the most suitable one, if there is any such choice from the list.

Step 5: Enter Certificate Password

When you are prompted, enter the passphrase related to the code signing certificate to your Authentication Services Client Password, such as SafeNet or another. It is an absolutely necessary part of signing because you need it to use the certificate and get access.

Step 6: Verification of the Signature

– To verify the signature, you can use the command in cmd.

signtool verify /pa “c:\filepath\Myinstaller.msi”

– This command is going to prove if the signature is valid, and it’s also going to show the info about the certificate that was used for signing the archive.

Step 7: Confirmation of Signature Validity

The next step is to carry out the validation after which a pop-up window shows up on the screen and confirms the existence of the signature. This means that the MSI file has been successfully filed to the case signing certificate.

You digitally sign your MSIs, installers, packages and files either way – through code signing technology certificates to guarantee their authenticity and integrity during installs.

This way, the process for verifying that software comes from a verified source needs to be established to gain user’s trust and their systems.

Conclusion

Now you can rest assured that all your MSI installers, packages, and files will be digitally signed with a trusted certificate with no interruptions.

With our provided guidelines and professional support, you can make sure that your software is from a verified source, which makes your customers trust in you and in the security of their system.

DigiCert EV Code Signing
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.