This article shows how to sign WiX Installer. 3 different ways are explained here step by step: Signing with Post-Build Event in Visual Studio, Signing by editing WiX Project file directly, or Signing by build tool MSBUILD.
Table of Contents
Why Sign MSI, WiX Installer?
Signing installer is a usual practice especially when you provide the MSI through the browser. Browser checks if the MSI has a valid signature from a valid publisher. If the signature is not validated, the browser will complain by saying that the Installer does not have a trusted publisher.
Even without a browser, on installing MSI in stand-alone mode, the WiX Installer MSI is still preferred to have a valid digital signature that gives security integrity to users.
Sign with Post-Build Event Command Line
Signing can be done by adding a Command line to Post-Build Event in Visual Studio.
Signtool.exe utility is used to sign files, and it does come with Windows SDK. Locate signtool.exe that is used to sign a file with a certificate. In this example, I used the tool under C:\Program Files (x86)\Windows Kits\10\App Certification Kit.
You can enter the command line as below to the Post-build Event Command-Line.
"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /f "D:\Certs\simple.pfx" /p "PFX-PASSWORD" /fd SHA256 /t http://timestamp.comodoca.com $(TargetPath)
If you open the Wix project file .wixproj, you can see this setting has also been added as PostBuildEvent under PropertyGroup.
<PropertyGroup>
<PostBuildEvent>"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /f "D:\Certs\simple.pfx" /p "PFX-PASSWORD" /fd SHA256 /t http://timestamp.comodoca.com $(TargetPath)</PostBuildEvent>
</PropertyGroup>
Run:
Sign by editing WiX Project directly
MsiNTProductType gets Windows product types: 1 for Workstations, 2 for Domain Controllers, and 3 for Servers.
<Target Name="AfterBuild">
<Exec Command="%22C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe%22 sign /f %22D:\Certs\simple.pfx%22 /p %22PFX-PASSWORD%22 /fd SHA256 /t http://timestamp.comodoca.com $(TargetPath)" />
</Target>
Run:
Sign Wix Installer MSI in MSBUILD
Similarly, a target can be defined separately by MSBuild instead of updating Wix Project.
<Project DefaultTargets="BuildWix_and_SignPackage" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="BuildWix_Sign">
<MSBuild Projects="D:\WixSample\Simple\Simple.wixproj" Properties="Configuration=Release" Targets="Build"/>
<Exec Command="%22C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe%22 sign /f %22D:\Certs\simple.pfx%22 /p %22PFX-PASSWORD%22 /fd SHA256 /t http://timestamp.comodoca.com %22D:\WixSample\Simple\bin\Release\Simple.msi" />
</Target>
</Project>
Run:
More articles you may be interested in:
How to update XML File during Install in WIX