How to sign installation files of a Visual Studio .msi

You can add the following PostBuildEvent to your VS Setup project (project properties):

Windows 8.0:

"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a  $(BuiltOuputPath)

Windows 10:

"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /a  $(BuiltOuputPath)

See this MSDN documentation for signtool usage. You can use the /f flag to specify the signing certificate, /p to specify the cert's password, etc

Also, note that $(BuildOuputPath) is misspelled. This is on purpose. Thanks microsoft...

Visual Studio creates two folders at compile time: obj and bin. Turns out, at least in my case, the output will always be copied from the obj folder into the bin folder. I was signing the executables in the bin folder only to have them overwritten and then packaged into the msi. Signing the executables in the obj folder solved the problem.

Other option (The one that I'm doing) is creating the .msi first and then sign it using a pfx (certificate).

(I'm using a Code Signing Certificate that I bought at globalsign.com)

Open CMD: run -> powershell

Where the certificate is located run and save the thumbprint:

PS C:\Windows\system32> Get-PfxCertificate -FilePath .\CompanyCertificate.pfx

Will get something like this ABCFEDRABF229B78BF9C40EC47007C1234567890, you must replace your value in the following execution line.

Then find where the singtool.exe is located and go there (Win 10 in my case, the msi must be in the same path as well) and execute the following:

PS C:\Program Files (x86)\Windows Kits\10\App Certification Kit> .\signtool.exe sign /f CompanyCertificate.pfx /d "App Description" /p pfxPasswordHere /v /sha1 ABCFEDRABF229B78BF9C40EC47007C1234567890 /t "http://timestamp.comodoca.com/authenticode" MyApplicationSetup.msi

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

Congrats you got it!

You will see this new tab under .msi properties:

And finally try to install it: