Code Signing during customer installation process?

Comments

1 comment

  • Avatar
    wojciechka

    The binaries you are installing (i.e. MyApp.exe) should be signed before building the installer, not at customer site.

    The best way to do this is to have the build process of the application also sign it - i.e. if it automated using Makefile, Maven, Ant/NAnt or other build tool, there should be another step to run signtool to sign the DLLs/EXEs.

    Similarly for Mac OS X binaries/bundles, the signing should be done at build time (and has to be done on an OS X machine). The process is documented here:

    https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

    As for signing .jar files, the process is slightly different and is documented here:

    http://docs.oracle.com/javase/tutorial/deployment/jar/signing.html

    Alternatively, same commands can be run to sign the binaries before building the installer in <preBuildActionList>, however it is not recommended as running the signing tools multiple times may lead to binary file size increase over time.

Please sign in to leave a comment.