Reputation: 22255
What part of a signed executable/MSI file can I modify so as not to affect its digital signature?
Let me explain my dilemma. I have my main software that has an option to install a smaller module of the software by letting a user save its MSI installer and later run it on a remote computer.
That MSI installer is originally digitally signed by my code-signing certificate.
The issue I have is how to pass some minimum data in that MSI that can be generated dynamically from the main app? Stuff like registration name and some minimum software-related parameters that a user chose via the UI.
First I thought to modify the MSI contents dynamically from the app, but that would break the digital signature. (I obviously can't re-sign it since I'm not willing to expose my private key for the digital certificate in that app.)
So at this point, I'm curious, if there's any part of the MSI file that are not affected by the digital signature? I know that file name is not affected, but that won't give me much wiggle room to add my data.
Upvotes: 1
Views: 2009
Answers (2)
Reputation: 12235
You can't modify a single byte inside MSI without breaking the digital signature, because that's exactly the purpose of the signature - to ensure that the content is not modified. Note that it's not specific to MSI, but to any signed file actually.
As an idea, if you don't want to "give" you private key to the customers, you can consider generating the MSI on the server (and keeping the key private key on the server) maybe?
Upvotes: 0
Reputation: 20780
I'm convinced you can't circumvent a signed file because that would be a huge security issue. What tool are you using to build your MSI? That affects this too.
There are a couple of choices that should work if this is something you can do at install time, however it's not clear exactly what the data is and where you'd have it in the MSI file.
A custom action can collect data and populate existing tables (e.g. Registry) at install time, the result being that the in-memory MSI database makes the changes you need when it installs the product.
Normally you'd create a transform file (a .mst file) and install the MSI with the TRANSFORMS=[mst file] but it's possible that the mst file would need signing to be installed with a signed MSI, but I'm not sure about that. That's an easy test though - use Orca to generate a mst file that changes something in the Property table then install the MSI with TRANSFORMS=..... and see if it disallows the unsigned transform.
Upvotes: 1
Related Questions
- How to protect MSI installer digital signature from tampering
- IronPdf - Signature Image is not rendered in digitally signed PDF
- Is there a way to add a digital signature to visio? Can I use VBA to display my digital signature on my Visio form?
- iTextSharp not rendering digital signature
- How to store digital signature of file or text in C#?
- Digital Signature on file gone after download from website
- "Windows cannot verify the digital signature" for a driver I signed — what to do?
- How to sign assembly and exe files in the installer package?