Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Install Spirion Console and Agents version 13.6How to Use the Registration PageHow To Uninstall Spirion Sensitive Data Platform Agents v13.0-v13.5How to Install a Spirion Agent to a Linux MachineHow to Sign a Windows Installer MSIWhat is PgBouncer?What is Registration?Windows msiexec Commands and Options
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles

How to Sign a Windows Installer MSI

When you customize your MSI installation file, it is necessary to re-sign it if your organization requires a digital signature.

When do You Need to Re-sign an MSI?

By default, the Spirion.exe Client is digitally signed using a code signing certificate.

  • That certificate enables customers to verify that the package is genuine and has been created by Spirion.
  • However, when you extract the .msi file from the .zip archive and customize it for mass installation, the digital signature is invalidated.
  • If your organization requires a digital signature every time something is installed, and you do not re-sign the installer, the application is unlikely to install properly and an error will be displayed. To fix the error use the topics below.

How to Re-sign an MSI that was Customized

To obtain, edit and re-sign the .msi use the following steps:

  1. Download and edit the MSI as desired using the MSIBuilder application as described here:
  3. Obtain a valid code signing certificate that is trusted by every Windows system on which the client will be installed:
    • If an enterprise-wide, trusted private Certificate Authority (CA) exists, contact the CA to issue a code signing certificate.
    • Note: If an in-house enterprise-wide solution is used the CA must be a Trusted Root CA on all endpoints on which the MSI will be installed.
      • Contact the local IT department or Windows administrators to determine if this is available and if all windows systems have the necessary trusts configured.
    • If an enterprise-wide and trusted Certificate Authority is not available, code signing certificates can be purchased from a reputable and globally trusted Certificate Authority such as VeriSign, GoDaddy, Comodo, etc.
  5. Obtain and install the Windows SDK from Microsoft: 
    http://www.microsoft.com/en-us/download/default.aspx
  6. Obtain a copy of the code signing certificate from the CA in .pxf format and note the full path to the .pfx file (PRIVATECERT_PATH).
  7. Note the password used to protect the code signing certificate when transferred from the CA (PRIVATECERT_PASSWORD).
  8. Obtain the URL for the time-stamping server used by the issuing CA (TIMESERVER_URL).
  9. Review the instructions provided by the CA issuing the code signing certificate and note if a cross-signing certificate is required.
    1. If a cross-signing certificate is required, download it and note its location (CSCERT_PATH)
  11. Navigate to the bin directory of the Windows SDK installed in Step 3 above. 
    • For example, if the Windows 7.1 SDK is installed, then the bin directory is:
      • C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin
  13. Note the full path to the application signtool.exe, which is located in the SDK bin directory (SIGNTOOL_PATH).
    • For example, using the Windows 7.1 SDK, the full path is:
      • C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe
  15. Note the directory where the edited MSI package is located (MSI_PATH). 
    • For this example, we use:
      • C:\IdentityFinderMSI\IdentityFinderSetup.msi
  17. Create the signing command using the following code.
    1. Replace the names in less than/greater than brackets (<>) with appropriate values:
"<SIGNTOOL_PATH>" sign /v /ac "<CSCERT_PATH>" /f "<PRIVATECERT_PATH>" /p "<PRIVATECERT_PASSWORD>" /t <TIMESERVER_URL> /v "<MSI_PATH>"
  1. After substituting the appropriate values in the command in the previous step, execute the command in an administrative command prompt. 
    • If no cross-signing certificate is required, remove the /ac command line argument:
    • Example with a cross-signing certificate:
    "C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /v /ac "C:\IdentityFinderMSI\Thawte_Primary_Root_CA_Cross.cer" /f "IdentityFinder.pfx" /p "Password" /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\IdentityFinderMSI\IdentityFinderSetup.msi"
    1. Example without a cross-signing certificate:
    "C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /v /f

Additional Details

  • When an executable file or MSI is digitally signed, it ensures that the files contained therein have not been tampered with or modified in any way. 
  • Any modification to the file(s) invalidates the digital signature and enables an end user to be aware that the package has changed since its signing. 
  • As a security measure, some customers configure their Windows clients to prevent the installation of packages with missing or invalid digital signatures. 
  • Further, most customers use the MSIBuilder application provided by Identity Finder to customize the installation experience of the client software, thereby invalidating Identity Finder's digital signature. 
  • By default, Windows allows the installation of the edited MSI without issue, especially when the installation of the client is performed silently as part of a standardized software management process. 
  • However, some customers edit the MSI, allow or require users to install the client interactively and have configured their Windows systems to prevent the installation of packages without a valid signature. 
  • In these cases, the customer must re-sign the MSI after it is edited for it to be successfully installed.


Was this article helpful?

Powered by Product Fruits