INFO: Digital Signature Support in Windows Installer 2.0

This article has been archived. It is offered "as is" and will no longer be updated.
Version 2.0 of Windows Installer supports use of digital signatures to detect corrupted resources during an installation. The digital signatures can be used with Windows Installer packages, transforms, patches, merge modules, and external cabinet files.
More information
Digital signature support allows a package author or administrator to be sure that the proper files are used during an installation and that those files are not corrupted. It does not provide the ability for a package to automatically be run with elevated permissions. For additional information on how to run an .msi package with elevated permissions, click the article number below to view the article in the Microsoft Knowledge Base:
259459 HOWTO: Allow Users Who Are Not Administrators to Install MSI Packages
Windows Installer 2.0 can only verify the digital signatures of cabinet files that are external to the .msi file. The verification of the digital signatures is accomplished through the use of the MsiDigitalSignature and MsiDigitalCertificate tables. There is no need to sign internal cabinet files because they are considered part of the .msi file. By signing the MSI file, you have signed any internal cabinet files and binary streams.

If an administrative installation is run, the digital signature is removed from the .msi package. In this case, the administrator can re-sign the .msi package on the network share.

Applying a patch to an administrative installation also removes the digital signature. The administrator can resign the .msi package in this scenario as well.
Windows Installer SDK Help, which is available from the following Microsoft Web site:

Article ID: 304111 - Last Review: 01/10/2015 13:14:16 - Revision: 3.0

  • kbnosurvey kbarchive kbDSupport kbinfo kbmsifaq KB304111