How to sign an MSI?

7
votes

My company wants to prevent the UAC popup that appears when customers install our product. We purchased a certificate from VeriSign (VeriSign Class 3 Code Signing 2010 CA) and I got a MyCompany.cer file.

I installed the cert by double-clicking it and selecting the "Personal" store. It now appears in the Certificates snapin, along with several other certs. The snapin says its intended purpose is "Code Signing". I got the SHA1 hash by copying the thumbprint.

I try to sign the msi with this command:

signtool sign /sha1 <thumbprint> myInstaller.msi

and get a message "SignTool Error: No certificates were found that met all the given criteria."

If I leave off the "/sha1 " I get a list of most of the other certs in the store - the ones that say their intended purpose is "<All>" My cert isn't listed.

What am I doing wrong?

1
certificatecode-signingsigntool
possible duplicate of How do I sign exes and dlls with my code signing certificateKen White
I've tried everything in that post and others but to no avail. I noticed that the "Key Usage" item in the Details tab has a small yellow "!" symbol. The value is "Digital Signature (80)"Sisiutl

1 Answers

3
votes

This is pretty old but I hope it helps someone.

First of all you need to check that you have a Private Key for that .cer file, If you open it you should see a Key icon somewhere followed by the sentence: 

You have a private key for this certificate

Note that what you must install the certificate in the same computer where de Key pair (and the CSR) were generated. Obviously if you have no private key, you can't sign anything.