Digitally signing an InstallShield Executable With An Automated Build Process

Those that are familiar with InstallShield knows about the option to digitally sign your executable, DLLs and other helper classes. You simply enter the paths to your .spc and .pvk certificates along with your password and the files are digitally signed ever time you build a release. You also have the option of using the newer .pfx certificate along with your password to do the same thing. Either way works just fine if you are manually building your installer. If you are trying to automate this process, you will run into trouble.

The sign process is one of the most hockey things InstallShield has slapped together. Have you ever noticed small dialog boxes that seem to flicker on the screen during the build of the release? That is the sign code in action. I'm pretty sure this process applies for several versions back, but the 2009 InstallShield Premier edition is where I discovered this blunder. What this is actually doing in the background is calling signcode.exe in the background and pasting your password into the dialog box that signcode prompts the user for. Obviously, when you are trying to automate the build process, no dialogs or UI of any kind can pop up or it will hang the program. That is what was happening to me.

There is a solution, sort of. In order to automate the build, you will have to pull the code signing out of InstallShield and do it yourself via command line. InstallShield uses SignCode.exe, but it also comes with SignTool.exe that will allow you to pass your password to it via command line. The one catch is that you must use a .pfx formatted certificate in order to use SignTool.exe. So, what I did was call ISCmdBld.exe to build my installer and right after that, I called SignTool.exe with the command line switches it would be looking for. The defination of switches available should be viewable if you place a /? after the call. The steps for automating the build process and calling SignTool.exe you will have to look up somewhere else. There are loads of data about how that works, but the one thing I never found spelled out anywhere is the fact that InstallShield simply is not capable of automating the digital signiture process inside of its build steps.