How to Sign WiX Installer, MSI

By / January 29, 2022

This article shows how to sign WiX Installer. 3 different ways are explained here step by step: Signing with Post-Build Event in Visual Studio, Signing by editing WiX Project file directly, or Signing by build tool MSBUILD.

Why Sign MSI, WiX Installer?

Signing installer is a usual practice especially when you provide the MSI through the browser. Browser checks if the MSI has a valid signature from a valid publisher. If the signature is not validated, the browser will complain by saying that the Installer does not have a trusted publisher.

Even without a browser, on installing MSI in stand-alone mode, the WiX Installer MSI is still preferred to have a valid digital signature that gives security integrity to users.

Sign with Post-Build Event Command Line

Signing can be done by adding a Command line to Post-Build Event in Visual Studio.

Signtool.exe utility is used to sign files, and it does come with Windows SDK. Locate signtool.exe that is used to sign a file with a certificate. In this example, I used the tool under C:\Program Files (x86)\Windows Kits\10\App Certification Kit.

You can enter the command line as below to the Post-build Event Command-Line. 

"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /f "D:\Certs\simple.pfx" /p "PFX-PASSWORD" /fd SHA256 /t http://timestamp.comodoca.com $(TargetPath)

If you open the Wix project file .wixproj, you can see this setting has also been added as PostBuildEvent under PropertyGroup.

  <PropertyGroup>
    <PostBuildEvent>"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /f "D:\Certs\simple.pfx" /p "PFX-PASSWORD" /fd SHA256 /t http://timestamp.comodoca.com $(TargetPath)</PostBuildEvent>
  </PropertyGroup>

Run:

Sign by editing WiX Project directly

MsiNTProductType gets Windows product types: 1 for Workstations, 2 for Domain Controllers, and 3 for Servers.

  <Target Name="AfterBuild">
      <Exec Command="%22C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe%22 sign /f %22D:\Certs\simple.pfx%22 /p %22PFX-PASSWORD%22 /fd SHA256 /t http://timestamp.comodoca.com $(TargetPath)" />
  </Target>

Run:

Sign Wix Installer MSI in MSBUILD

Similarly, a target can be defined separately by MSBuild instead of updating Wix Project.

<Project DefaultTargets="BuildWix_and_SignPackage" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

<Target Name="BuildWix_Sign">

<MSBuild Projects="D:\WixSample\Simple\Simple.wixproj" Properties="Configuration=Release" Targets="Build"/>

<Exec Command="%22C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe%22 sign /f %22D:\Certs\simple.pfx%22 /p %22PFX-PASSWORD%22 /fd SHA256 /t http://timestamp.comodoca.com %22D:\WixSample\Simple\bin\Release\Simple.msi" />
  
</Target>

</Project>

Run:

More articles you may be interested in:

Code Signing with PowerShell

How to update XML File during Install in WIX

How to add a Custom Dialog in Wix Installer

How to Create Wix Project in Visual Studio 2019

Leave a Comment