Should executables and dynamic libraries be signed when inside an MSI that is signed

Question

Should executables and dynamic libraries be signed when inside an MSI (or an Inno Setup exe) that is signed?

It seems like it does not matter as Windows doesn't complain, but I would like to confirm this.

Michael Urman · Accepted Answer

This seems to come down to a question of when and why you would sign a given file. As you've noticed, it's helpful to sign the installation files so that UAC prompts are less foreboding. This argument can also apply to any EXE files that a user is likely to elevate.

After that, it comes down to a matter of preference and tradeoffs. The Windows Logo guidelines/certifications have often required all PE files to be signed, so that's what I would traditionally recommend. Drivers are a special case of this; recent versions of Windows may require them to be signed, but the signing needs are different than for the average PE file.

If neither of those apply to you (i.e. if you don't care about Logo, nor do you have a driver), what remaining goals might you have?

Do you care what your users see if they look at the details on a file?
Do you care about ensuring file integrity?¹
How much does it cost to implement this signing? (Presumably just a little time and space, as it sounds like you have the certificate already.)

^{¹Note that signing the bootstrap or the .msi does not necessarily verify the content of an exe; it only does so if they are in a cab and the cab is itself signed or is included in a signed .msi. Otherwise Windows Installer typically only verifies EXE files by location and file version.}

Should executables and dynamic libraries be signed when inside an MSI that is signed

Answers (1)

Related Questions