Skip to main content

Integrate InstallShield for custom signing

InstallShield is a leading solution for developers to create reliable and modern installation packages for Windows, including MSI and MSIX formats. It simplifies the software installation process with a user-friendly interface, seamless integration into development environments like Visual Studio, and capabilities for cloud-based and multi-platform deployments.

Follow these instructions to integrate InstallShield with Software Trust Manager or KeyLocker.

Prerequisites

  • InstallShield 2023 R2 or later (from Revenera)

  • SMCTL

  • Client authentication certificate

  • Code signing certificate file (public key only)

  • API key ( KeyLocker)

  • Client certificate password ( KeyLocker)

  • Keypair name (for KeyLocker)

Step 1: Create and save the PowerShell script

Review the following script that configures the session environment variables for KeyLocker and invokes signtool.exesigntool.exe to sign the file passed from InstallShield.

Based on the following script, you can save the PowerShell script as powersign.ps1.

# PowerShell script to sign files using signtool with STM/KeyLocker integration.

param(
    [string]$name  # Receives the filename to be signed
)

# Set session environment variables for DigiCert STM/KeyLocker SaaS service:
$env:SM_API_KEY="your_api_key_here"                          
$env:SM_CLIENT_CERT_FILE="path_to_your_ClientAuthCertificate.p12"                                                                         
$env:SM_CLIENT_CERT_PASSWORD="your_certificate_password_here"                                                                                                         
$env:SM_HOST="https://clientauth.one.digicert.com"                                                                             

# Call signtool with necessary parameters:
signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc "Your_KeyPair_Name" /f "Path_to_Your_CodeSigning_Certificate_File" /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $name

Step 2: Configure InstallShield for custom signing

  1. Open InstallShield, and then load your project.

  2. Navigate to the Release Configuration section, and then in the project tree, select Release.

  3. Under the selected release, select the Signing tab.

  4. Set the Signing Type to Custom.

  5. Specify the full path (folder and filename) to the script created in Step 1, such as C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

  6. Enter the following argument to specify the full path (folder and filename) to the PowerShell script and the signing file. Specifically, replace path_to_the_powershell_script.ps1 with the path to powersign.ps1.

    • -f "path_to_the_powershell_script.ps1" -name [filename]

Step 3: Validate the configuration

  1. Run the InstallShield build process to build a project.

  2. Locate the output file.

  3. Select Properties > Digital Signatures to ensure the digital signature displays correctly.