Best Code Signing Practice

0
votes

I have acquired and deployed a digital code signing certificate. I have added it to the installation program for a Windows application, signing the InstallShield setup.exe file and the msi file. Everything works perfectly in the installation program.

My application is installed as a single exe file along with a complied html help file.

Is the best practice to digitally sign the exe file in addition to the Windows installation program?

1
code-signingdigital-certificate
Why wouldn't you sign the installer? That's usually the first program the user will open and it would provide peace of mind knowing that its trusted. - ub3rst4r
Yes - sign both. The installer runs and is signed. Then the actual executable runs - and it is signed as well. Lots of trust to be gained - users know who made the code, and that it wasn't tampered with. I don't think your certificate "wears out"... - Floris

1 Answers

1
votes

Yes. You should sign the executable as well.

You should also ensure you use a time-stamp server if possible when signing too. Thus users of your application know the code came from a valid source, and the certificate was valid when it was signed. (The time-stamping means users can check the signing is valid after the expiry date of your certificate - i.e. the signature will be valid for all time.)