In This Article:
When do you Need to Re-sign a .msi?
By default, the Spirion.exe client is digitally signed using a code signing certificate. That certificate allows customers to verify that the package is genuine and has been created by Spirion. However, when you extract the .msi from the .zip file and the customize it for mass installation the digital signature becomes invalidated. If your organization requires a digital signature every time something is installed, and you do not re-sign the installer, the application will likely fail to be installed properly and an error will be displayed. Here is how to fix that.
How to Re-sign a .msi That was Customized
To obtain, edit and re-sign the .msi do the following:
- Download and edit the msi as desired using the MSIBuilder application as described in the following article:
- Obtain a valid code signing certificate that is trusted by every Windows system on which the client will be installed:
- If an enterprise wide, trusted private Certificate Authority (CA) exists, contact the CA to issue a code signing certificate.
- Note: If an in-house enterprise wide solution is used the CA must be a Trusted Root CA on all endpoints on which the msi will be installed. Contact the local IT department or Windows administrators to determine if this is available and if all windows systems have the necessary trusts configured.
- If an enterprise wide and trusted Certificate Authority is not available, code signing certificates can be purchased from a reputable and globally trusted Certificate Authority such as VeriSign, GoDaddy, Comodo, etc.
- Obtain and install the Windows SDK from Microsoft: http://www.microsoft.com/en-us/download/default.aspx
- Obtain a copy of the code signing certificate from the CA in .pxf format and note the full path to the .pfx file (PRIVATECERT_PATH).
- Note the password used to protect the code signing certificate when transferred from the CA (PRIVATECERT_PASSWORD).
- Obtain the URL for the time stamping server used by the issuing CA (TIMESERVER_URL).
- Review the instructions provided by the CA issuing the code signing certificate and note if a cross-signing certificate is required. If a cross-signing certificate is required, download it and note its location (CSCERT_PATH).
- Navigate to the bin directory of the Windows SDK installed in Step 3 above. For example, if the Windows 7.1 SDK is installed, then the bin directory is:
- C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin
- Note the full path to the signtool.exe application, located in the SDK bin directory (SIGNTOOL_PATH). For example, using the Windows 7.1 SDK is:
- C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe
- Note the directory where the edited msi package is located (MSI_PATH). For this example, we will use:
- Create the signing command using the following, replacing the names in less than/greater than brackets (<>) with appropriate values:
"<SIGNTOOL_PATH>" sign /v /ac "<CSCERT_PATH>" /f "<PRIVATECERT_PATH>" /p "<PRIVATECERT_PASSWORD>" /t <TIMESERVER_URL> /v "<MSI_PATH>"
- After substituting the appropriate values in the command in the previous step, execute the command in an administrative command prompt. If no cross-signing certificate is required, remove the /ac command line argument:
- An example with a cross-signing certificate is:
"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /v /ac "C:\IdentityFinderMSI\Thawte_Primary_Root_CA_Cross.cer" /f "IdentityFinder.pfx" /p "Password" /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\IdentityFinderMSI\IdentityFinderSetup.msi"
- An example without a cross-signing certificate is:
"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /v /f
When an executable file or msi is digitally signed, it ensures that the files contained therein have not been tampered with or modified in any way. Any modification to the file(s) will invalidate the digital signature and allow an end user to be aware that the package has changed since its signing. As a security measure, some customers configure their Windows clients to prevent the installation of packages with missing or invalid digital signatures. Further, most customers use the MSIBuilder application provided by Identity Finder to customize the installation experience of the client software, thereby invalidating Identity Finder's digital signature. By default, Windows will allow the installation of the edited msi without issue, especially when the installation of the client is performed silently as part of a standardized software management process. However, some customers edit the msi, allow or require users to install the client interactively and have configured their Windows systems to prevent the installation of packages without a valid signature. In these cases, the customer must re-sign the msi after it is edited for it to be successfully installed.