Home/ Questions/Q 234691
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T20:12:19+00:00

My company finally bought a code-signing certificate. I have a WinForms application (1 exe

  • 0

My company finally bought a code-signing certificate.

I have a WinForms application (1 exe and several dlls), all assemblies are already signed with a strong name. The entire application is then packaged into a msi installer. Then I use NSIS to pack the msi, the bootstrapper and the prerequisites (Framework, SQL CE…) into a single setup.exe.

Obviously my setup.exe needs to be signed, to avoid the “scary” UAC prompt. Is that enough or would you also sign the other files, especially the .NET assemblies?

Another project that belongs to the application is a Windows serivce. Would you sign that assembly?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You don’t have to but its not a bad idea.

    Authoring a Fully Verified Signed Installation

    You can use these guidelines to cover
    an entire Windows Installer
    installation by a digital signature.

    Authors of Windows Installer
    installations must adhere to the
    following to ensure that all parts of
    the installation are covered by a
    digital signature:

    • Use internal cabinet files, or use signed external cabinet files and
      correctly author the
      MsiDigitalSignature table and
      MsiDigitalCertificate table.
    • Use only custom actions stored within the package or installed with
      the package.
    • Sign the installation package.
    • Include an MsiPatchCertificate table in the package. To enable User Account
      Control (UAC) Patching, this table
      must contain information used to
      identify the signer certificates used
      to digitally sign patches. UAC
      patching enables the author of the
      installation package to identify
      digitally-signed patches that can be
      applied in the future by
      non-administrator users.

    The instructions above cover what you need to do for the installer itself. Signing the assemblies is up to you and is somewhat of a separate issue and has separate concerns and benefits. Please read Strong name assemblies can keep you out of DLL Hell for more information about signing assemblies.

    • 0