问题
I recently purchased an authenticode certificate from globalsign and am having problems signing my files for deployment. There are a couple of .exe files that are generated by a project and then put into a .msi. When I sign the .exe files with the signtool the certificate is valid and they run fine. The problem is that when I build the .msi (using the visual studio setup project) the .exe files lose their signatures. So I can sign the .msi after it is built, but the installed .exe files continue the whole "unknown publisher" business. How can I retain the signature on these files for installation on the client machine?
回答1:
Visual Studio creates two folders at compile time: obj and bin. Turns out, at least in my case, the output will always be copied from the obj folder into the bin folder. I was signing the executables in the bin folder only to have them overwritten and then packaged into the msi. Signing the executables in the obj folder solved the problem.
回答2:
You can add the following PostBuildEvent to your VS Setup project (project properties):
Windows 8.0:
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a $(BuiltOuputPath)
Windows 10:
"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /a $(BuiltOuputPath)
See this MSDN documentation for signtool usage. You can use the /f flag to specify the signing certificate, /p to specify the cert's password, etc
Also, note that $(BuildOuputPath) is misspelled. This is on purpose. Thanks microsoft...
回答3:
Are you positive the installer project is looking at the signed binary and not the unsigned one ?
I'm not using the msi builder much, but I would find it surprising that it modifies the files it packages at all.
来源:https://stackoverflow.com/questions/1652301/how-to-sign-installation-files-of-a-visual-studio-msi