1

I'm looking for a way to provide a signed, customized InstallShield installer that can have a small piece of information injected into it without spoiling the signature or having to re-sign the installer?

The user will be downloading it from my website, but it needs a custom ID injected in specifically for that user. I've seen references to sidecar files, but I can't find any documentation.

So, is there any way to inject that data into the installer without invalidating the signature?

Jeremy Thompson
  • 61,933
  • 36
  • 195
  • 321
tghw
  • 25,208
  • 13
  • 70
  • 96
  • So a bit more info, have you tried to do this using [Orca](https://msdn.microsoft.com/en-us/library/windows/desktop/aa370557(v=vs.85).aspx) or is that the question? Orca is a database table editor for creating and editing Windows Installer packages and merge modules. This is a MSI we're talking about yeah? Another way to look at it use WiX Bootstrapper to embed your existing InstallShield executable. – Jeremy Thompson Dec 16 '16 at 01:19
  • @JeremyThompson I was not aware of Orca, I'll take a look. This is likely an MSI, though I could do an EXE if it enabled me to add the ID. Can it modify the database after the MSI is signed, without requiring it to be signed again? I'll also poke around at WiX. Thanks! – tghw Dec 16 '16 at 05:12
  • See also http://stackoverflow.com/questions/23806564/how-to-create-precofigured-installer-msi-or-exe-with-valid-signature/23980946 – Michael Urman Dec 16 '16 at 16:31

1 Answers1

0

This question and comments so far are missing one important caveat: Any changes to an MSI or EXE file whatsoever will cause the code-signing signature to be invalid (unless the resulting file has the exact same file hash, which is extremely unlikely).

Is there a reason that you can't re-sign the main package? Note that you can write a powershell or batch script to code-sign an EXE quickly and easily using signtool. You can add your custom data and resign the package in one step. You can even use a different code-signing certificate for the MSM and EXE if needed.

You can accomplish something very similar by using a pre-signed merge module (MSM) -- Author your main installer as a signed merge-module. Then, include your already-signed MSM into an unsigned Setup EXE package, and add your custom data to the parent EXE installer. The custom data can be added in many different ways, such as a text file in a component, embedded into a custom action, or as a support file in InstallShield. Unfortunately, this means your main EXE installer is unsigned, which is NOT recommended.

Superbob
  • 712
  • 3
  • 5