0

I have an application consisting of an .exe and a .dll, which are packaged in a setup.exe that's built with InstallShield Limited Edition in Visual Studio. I want to distribute the application on the Internet, and am trying to understand what I need to do in terms of code signing to avoid warning messages from Windows at download and install time. Although VS provides the ability to sign files, would it be preferable to buy a digital certificate from a CA such as DigiCert, Comodo, Symantec, etc.? Do I just need to sign the setup.exe and not the 2 .NET assemblies? Because I notice that once the install is complete, the application itself runs without warnings (In Windows 8.1 anyway) -- or is the OS a/o browser smart enough to look inside the setup.exe file at the assemblies at download or install time?

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431
BobC
  • 103
  • 2
  • 10
  • There is never any point in not signing your executable once you bought the certificate. Because it might not run if the [admin is cautious](https://technet.microsoft.com/en-us/library/Dd723683%28v=WS.10%29.aspx). Do keep in mind that just about nobody trusts executable files downloaded from the Internet anymore. The certificate means beans today, Windows' SmartScreen feature ignores it. App stores are the future. – Hans Passant Aug 14 '15 at 14:57

1 Answers1

0

You have two questions here

Although VS provides the ability to sign files, would it be preferable to buy a digital certificate from a CA such as DigiCert, Comodo, Symantec, etc.?

For you not to get a warning message the certificate you use to sign your program must be trusted by the target computer. The two ways to do this is be in a controlled environment (like a Active Directory Domain) where you can push out the certificate for the "private CA" you used in VS to sign your app or use a certificate that you know the target computer will already trust like DigiCert, Comodo, Symantec, etc. If you are putting your installer on the internet you will need to pay for a code signing certificate.

Do I just need to sign the setup.exe and not the 2 .NET assemblies?

The os/browser will not "peek inside" the installer, only the installer itself needs to be signed however the steps to set that up will also sign the files inside the setup anyway.

Instructions from Install Shield's website for signing files for InstallShield 2012 Express Edition:

To configure digital signing for your release and its files:

  1. In the View List under Prepare for Release, click Releases.
  2. In the Builds explorer, click the release that you want to sign.
  3. Click the Signing tab.
  4. Configure the following settings as appropriate:
    • Certificate URL
    • Digital Certificate File
    • Private Key File—Note that if you specify a .pfx file, you do not also need to specify a .pvk file.
    • Certificate Password
  5. In the Sign Output Files setting, specify which files (Setup.exe, the .msi package, both of those files, or neither of those files) you want to be signed.
  6. In the Sign Files in Package setting, specify whether you want to sign additional files in your installation.
    If you select Yes, use the other settings under the Sign Files in Package setting to indicate which files and file patterns should be signed and which should not be signed. Note that the files and file patterns that should not be signed override any files and file patterns that should be signed. For example, if you specify *.exe in an Include setting and in an Exclude setting, InstallShield does not sign any .exe files.

These instructions are for the Express Edition, not the Limited Edition. I found this Code Project page for somthing called "UltraDynamo" which shoes the limited edition has a similar signing tab screen.

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431