Signing MSI Packages
Digitally signing files helps protect against changes to a file by validating that a hash of the current file matches the hash stored in the digital signature. Digital signatures also help verify that a package came from a particular publisher by encrypting the hash with the publisher's private key. Verifying the signature using the publisher's public key or a trusted certificate authority that signed their public key validates the publisher.
You can sign Windows Installer packages to help guarantee that users know if your packages have been modified and that they came from you, the publisher. Windows Installer validates that a package hasn't been changed if it contains a digital signature when attempting to install it. Properly signed MSI packages can be installed via GPO even within the environments with strict security policies.
About Digital Signatures
A digital signature is based on a signing certificate. A certificate is a set of data that completely identifies an entity, and is issued by a certification authority only after that authority has verified the entity's identity. The data set includes the entity's public cryptographic key. When the publisher of a package signs the package with its private key, the installer can use the publisher's public key to verify the publisher's identity.
In order to perform a package signing operation, both private key and signer identification information must be supplied. The digital certificate used in the signature usually supplies the signer identification information, however. Thus, the private key must be supplied through some other means. Additionally, the signature must include the certificate chain for the cryptographic service provider (CSP), up to a root certificate trusted by the user, in order for the signed file to be authenticated. So in all, there are several items that need to be provided in order to generate a digital signature.
Microsoft has developed a certificate store technology to reduce the above complexity. Using this technology, when a user enrolls to obtain a certificate, they specify the private key information, the CSP information, and the certificate store name for the certificate. The certificate will then be stored in the certificate store and be associated with the other items. When the user wants to sign a package, they only need to identify the certificate in the certificate store. The code-signing tool will retrieve the certificate, the private key, and the certificate chain for the CSP, all based on the specified certificate.
When signing a package, a trusted time server is used to generate a time stamp for a digital signature. This is performed, to guarantee that the package is signed with the certificate that is neither expired not revoked.
Requirements for a Digital Certificate
For a digital certificate to be used by MSI Package Builder for signing the generated MSI packages, the following set of requirements must be met:
- The certificate must include the Code Signing (220.127.116.11.18.104.22.168.3) within its Intended Purpose.
- The certificate's Valid From date must be less and the Valid To date must be greater than the package signing date.
- The digital certificate must be placed in the Current User certificates storage.
- Both the private key and the signer identification information must be supplied.
- The private key must be available together with the signing certificate in the certificate storage. In case you have a private key in a separate file, please use the tool provided by Microsoft for preparing the a private & public key pair for importing into the certificates storage as described here: Pvk2Pfx, Combine PVK + SPC to PFX.
In case the digital certificate does not meet the above-stated requirements, MSI Package Builder will not suggest that you use it for signing MSI packages.
Configuring Packages Signing
MSI Package Builder allows you both to define the common packages signing configuration to be used for adding digital signatures to generated MSI packages and to override those settings for specific projects. The common digital signing options are specified on the Packages Signing preference page Pic 1, and the overriding feature can be used either when creating an MSI package or in the Project Details view.
In any case, if you enable the packages signing, you are proposed to select the signing certificate to be used for creating a digital signature and choose the time server for generating a digital signature time stamp. The required certificate can be selected from those installed to the above-mentioned certificate storage. To select the certificate, press the button within the Signing Certificate field. The dialog will be displayed to let you choose the certificate from those available. When choosing the certificate, you can press the View Certificate button on the toolbar to view the detailed information on the selected certificate. This information dialog can also be reached via the button from the Signing Certificate field when the certificate is already specified. To reset the certificate, you can use the button.
As for the time server, you can either choose the one from those predefined in the Time Server field or provide the address of another trusted server that can generate a time stamp for digital signatures. A time stamp should always be added when signing a package. Although it is strongly recommended that a digital signature time stamp be added immediately when signing packages with MSI Package Builder, you can leave the Time Server field empty, thus skipping the time stamping. In case a time stamp is not added, it is possible to time stamp a signed package in future with the help of the sign tool.
If the package signing is enabled, MSI Package Builder will add a digital signature using the specified signing certificate and chosen time server when a package is generated. If there are any problems occurred during the signing process, they are added to the Log view.