Self Signed MSI

At Hobbyware.org I use Visual Studio to create my programs, and often use the add in project setup installer that came with Visual Studio 2010, that then became an add-in for Visual Studio 2015. The project setup generates an .MSI file to be used when installing the software. Up until Windows 10 I have had no issues with downloading a file using Internet Explorer, but now I am having issues with an error message that says the signature of this program is corrupt or invalid. It appears that Microsoft wants to keep things as secure as possible... and I applaud them for that initiative, however you will not be able to download an unsigned MSI using Internet Explorer anymore. It appears that Microsoft wants to keep things as secure as possible... and I applaud them for that initiative, however you will not be able to download an unsigned MSI using Internet Explorer anymore.

The cost of getting a certificate is usually quite expensive and typically not in a hobbyist budget for something as simple as this. The only real other option was to self sign the MSI file. This is where I create my own certificate and I become the certificate signing authority – not as trustworthy as having it signed by a larger well known company, but whats a hobbyist to do?

To self sign your own certificate you will need to download the Windows 10 SDK and install this on your development machine. There are three main tools that you will need to sign your own certificate. The first of which is MakeCert.exe, and the second being pvk2pfx.exe and the third SignTool.exe. After completing the install of the SDK you will want to fire up a Visual Studio command prompt. Make sure not to use the regular command prompt as it wont have access to the MakeCert and SignTools executables. I also suggest that you take a look at the MSDN articles for each of the two tools for any other options that you want to specify by clicking the links to each of the said tools above.

MakeCert will be the tool that will create your certificate for you. This will output a .PVK and a .CER file. Replace CertName with what you want to name your certificate.

       MakeCert -N “CertName” -PE -R -A sha512 -LEN 4096 -CY Authority -SV CertName.PVK CARoot.CER

You now have your two self signed certificates which are created in the folder that you are working in, in your command prompt.

The Next step is to convert the two certificates into a PFX file, which is what we will use to sign the MSI file. In the following command replace CertPassword with a strong password that will be used to protect the Certificate from unauthorized use.

       Pvk2pfx -PVK CertName.pvk -SPC CertName.cer -PFX CertName.PFX -PO “CertPassword”

The last step is to sign your MSI file. To do this make sure you build your setup program and then place the newly created MSI file into the same directory as the PFX file that you created with the command above. Now use the sign tool using the following command:

       SignTool sign /F CertName.PFX /P CertPassword MySetupProgram.MSI

You will now have the MSI file that you created self signed and now able to download via Internet Explorer.

Enjoi!