We want our users to download preconfigured installers of our software for Windows. Pre-configured data consists of settings based on user account data. The customization is to be done in a Java server running on Linux. We need to have those installers digitally signed. Unfortunately we cannot have private signing key on those servers, due to security policy.

Can you think of ways to put some metadata into either MSI or EXE while preserving digital signature or other approaches to fulfill the use case?

EDIT: The requirement is to have a single file download, so unfortunately parallel ini file doesn't fulfill it. It is mostly about providing a set of connection points (specific to a user) - we are not to bother a user as we already know them.

No, what you ask for is impossible. You can't modify a file without invalidating it's signature. That's the whole point of signing. You also can't sign a file without having the private key to perform the signing.

I believe Chris is right. However, in the interest of providing a useful starting point for further investigation, here are some thoughts:

Though it is perhaps a questionable design, you could generate an email with the config information on the server and send it to the user so they can automatically kick off the signed installer from your web site with the appropriate settings set in properties by simply clicking a link in an email. I have never tried this, but the MSI SDK does discuss it: A URL-Based Windows Installer Installation Example and Authoring a Fully Verified Signed Installation.

I guess you can also generate an INI file sent by email that can be put next to the signed MSI and the MSI can be designed to read the INI file during installation and apply the settings. You would add a launch condition to require this INI.

If you wrap a config file with a signed MSI in an unsigned self-extractor, I think you eliminate almost all benefits from the signing process. I doubt it helps, but it should be possible to sign an external cab file consumed by an unsigned MSI. Again, I have not tried this, so I just guessing. I am not sure what happens if that MSI is post processed after signing of the cab either. Security-wise I think this approach is sort of nonsense too - few benefits remain.

Your best bet is to rearchitect your approach. If there are only a few resulting configurations, build them all up ahead of time. Otherwise you need to be able to sign on the fly, or to distribute the options in a way that isn't signed. Here's why:

• Changing the file is a non-starter, as it invalidates the digital signature and you have no means to re-apply it
• When you download an exe or msi from the internet, you can't also pass arbitrary command-line parameters
• Even if you could use multiple files, applying an unsigned mst to an msi will invalidate the signature for purposes of UAC prompts

Here are some ideas to work around those limitations:

• Ask for the configuration inside your msi's UI sequence. Either ask for the parameters that your server currently attempts to embed, or ask for the options that led to those and use a custom action to calculate and/or retrieve them.
  • Taken to an extreme, this could be: fill out options online; get a code; download the msi; install, entering the code (it retrieves the options). This might be an okay user experience, so long as they don't need to be offline.
• Find a way to pass parameters. For example it looks like ClickOnce can accept parameters as part of its URL. (See How to: Retrieve Query String Information in an Online ClickOnce Application.) On the surface, it seems like this should allow creating a single ClickOnce application with embedded msi file that uses these parameters to configure the msi. However I cannot say for certain as I have not built such a ClickOnce application, and I'm unclear what footprint it may place on the machine. This may also fail in an offline scenario.

Meanwhile I found a way to add data to a signed EXE without invalidating signature. Yes, I also thought it is impossible. It is terrible hack, which works by modifying certificate section, which is not part of signature and it is at the end of file. So you can append to the end of EXE and just do some fixing of section size. I checked it works, signatures are valid, program runs, AntiVirus doesn't complain as well.

Description of the approach:

• http://blog.barthe.ph/2009/02/22/change-signed-executable/
• http://reboot.pro/topic/15889-modify-a-signed-executable-without-invalidating-its-digital-signature/

Working program to add payload:

• http://reboot.pro/files/file/85-digitalsignaturetweaker/

Obviously, as being hack it may stop working any time.