Some setup and application executables need to be signed so that they are not flagged as a security risk by security software on Windows. Especially those that have virus-like behavior such as embedded executable resources that are extracted, and executed.
The following steps were performed on Windows, from the Developer Command Prompt installed by Visual Studio.
To generate self-signed certificate for code signing, run
makecert.exe -n CN=Test.org(Test) -r -h 0 -eku "188.8.131.52.184.108.40.206.3,220.127.116.11.4.1.318.104.22.168" -e 12/31/2017 -pe -sv Test.pvk Test.cer
Here’s a brief overview of the command line
-n subject name
-r create self-signed certificate
-h max height of tree below this cert
-eku comma separated enhanced key usage ids
-e expiration date
-pe private key is exportable
-sv private key file name
You may specify a password or leave it empty.
To convert self-signed certificate to PFX format for usage with SignTool, run
Pvk2Pfx -pvk Test.pvk -spc Test.cer -pfx Test.pfx
To use SignTool to sign an executable, run
SignTool sign /fd SHA256 /a /f Test.pfx filepath.exe
Install certificate (Test.cer) to local machine before running executable.
Signing a Wix Toolset setup bundle
You cannot just sign the setup bundle executable and get it to work, because the embedded executable (engine.exe) remains unsigned and will be flagged as a security risk. Use the following steps to prepare setup bundle for installation without being flagged as a security risk.
First, detach the engine from setup as follows
insignia -ib setup.exe -o engine.exe
Sign engine.exe with your certificate using SignTool
SignTool sign /fd SHA256 /a /f Test.pfx engine.exe
Re-attach the signed engine.exe to the bundle
insignia -ab engine.exe setup.exe -o setup.exe
Sign setup.exe with your certificate
SignTool sign /fd SHA256 /a /f Test.pfx setup.exe