How to sign an MSI?

2019-04-26 20:44发布

My company wants to prevent the UAC popup that appears when customers install our product. We purchased a certificate from VeriSign (VeriSign Class 3 Code Signing 2010 CA) and I got a MyCompany.cer file.

I installed the cert by double-clicking it and selecting the "Personal" store. It now appears in the Certificates snapin, along with several other certs. The snapin says its intended purpose is "Code Signing". I got the SHA1 hash by copying the thumbprint.

I try to sign the msi with this command:

signtool sign /sha1 <thumbprint> myInstaller.msi

and get a message "SignTool Error: No certificates were found that met all the given criteria."

If I leave off the "/sha1 " I get a list of most of the other certs in the store - the ones that say their intended purpose is "<All>" My cert isn't listed.

What am I doing wrong?

1条回答
男人必须洒脱
2楼-- · 2019-04-26 21:09

This is pretty old but I hope it helps someone.

First of all you need to check that you have a Private Key for that .cer file, If you open it you should see a Key icon somewhere followed by the sentence:

You have a private key for this certificate

Note that what you must install the certificate in the same computer where de Key pair (and the CSR) were generated. Obviously if you have no private key, you can't sign anything.

查看更多
登录 后发表回答