Tin Mới
How to digitally sign an MSI installer using PowerShell command line
Th5
Ensuring the security and integrity of software applications is a key part of modern digital security practices. Digitally signing an MSI file from the command line is a straightforward process that increases the security and reliability of your application.
This article simplifies the process of applying digital signatures to MSI files using PowerShell, providing insight into an alternative graphical method via the advanced installer user interface.
Prerequisites for digitally signing MSI files
Before you begin, make sure you have a valid code signing certificate from a trusted certificate authority (CA) or create a self-signed certificate.
For more details on PFX, check out our blog article “What is a code signing certificate and how to provide digital trust for your application”, where we dive deeper into the topic.
Don’t forget to export your certificate in a PFX file format and keep the password handy. or Personal Information Exchange (.pfx) file is a password-protected certificate typically used for signing your application’s code. It derives from the PKCS 12 archive file format certificate and stores multiple cryptographic objects within a single file.
Check out our blog post “What is a PFX Certificate and How to Generate One” for a more in-depth look at PFX.
How to digitally sign your MSI file from the command line using PowerShell
To digitally sign an MSI file from the command line, we’ll use PowerShell Set-AuthenticodeSignature cmdlets.
of Set-AuthenticodeSignature A cmdlet is a PowerShell command that applies a unique digital signature to files, including executables (EXE files), dynamic-link libraries (DLL files), MSI files, scripts, and more.
To digitally sign an MSI file, you’ll need to specify the path to the file you want to sign using -FilePath parameter and code signing certificate using -Certificate the parameter.
Here’s how you can accomplish this using PowerShell Set-AuthenticodeSignature cmdlets:
1. Open PowerShell with administrative privileges.
2. Store the certificate password securely by converting the certificate password to a secure string:
$certificatePassword = ConvertTo-SecureString -String "YourCertificatePassword" -Force -AsPlainText
3. Specify the path to your certificate:
$certificatePath = "C:\Path\To\YourCertificate.pfx"
4. Create an instance of the certificate object and import the certificate:
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certificate.Import($certificatePath, $certificatePassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
5. Specify the path to your MSI file:
$msiFilePath = "C:\Path\To\YourFile.msi"
6. Apply the digital signature to the MSI file using the provided certificate:
Set-AuthenticodeSignature -FilePath $msiFilePath -Certificate $certificate
7. Check the digital signature information of the MSI file to verify that the signing was successful:
Get-AuthenticodeSignature -FilePath $msiFilePath
How to digitally sign your MSI file using the advanced installer GUI
Alternatively, the advanced installer GUI simplifies the digital signature process by integrating signtool.exe, eliminating the need for command line operations. This functionality is designed to save time and streamline the signing process.
Experience the digital signature capabilities of Advanced Installer with its full-featured 30-day free trial.
Start the free trial
Video tutorial available
Stay ahead of the curve in app packagingTo keep up with more insights and trends in software packaging and deployment, sign up for our newsletter. Get the latest updates and expert advice delivered straight to your inbox. Subscribe to our newsletter
Written by
Radu Popescu
Technical Writer on Advanced Installer, Technical Engineer on various enterprise client projects. Have experience in software packaging, SCCM infrastructure and System Administration. Tech enthusiast and music producer in his spare time.
