Digitally Signing the Setup Package

Digital signatures are used to verify the integrity and authenticity of digital messages, including software such as Setup packages. Tarma Installer provides features that make it easy to add a digital signature to the Setup packages that you create with Tarma Installer.

Note - The topic Digital Signatures in the online help provides important background information about digital signatures. We strongly recommend that you read it before attempting to follow the instructions below.

How to configure the SignCode options

Before you attempt to sign a Setup package for the first time, you should configure a number of SignCode-related options. This has to be done only once; from then on, Tarma Installer will use the options for each project that you create.

To configure the SignCode options, act as follows.

1. Make sure that SignCode.exe and its supporting libraries are installed somewhere on your computer. If necessary, refer to Digital Signatures for information about obtaining SignCode.exe.
2. Make sure that you have a valid digital certificate and associated private key. Again, refer to Digital Signatures for information about obtaining these.

3. Open the Preferences - SignCode dialog using one of the following methods:

   • If you are currently on the Build page, click the Settings... button in the Digital signature section.
   • At any time, use the Edit > Preferences command from the main menu, then click the SignCode tab.

4. In the Preferences - SignCode dialog, set the following options:

   • SignCode path - Enter the fully qualified path to the SignCode.exe file, or click the ... (browse) button to browse for its location.
   • Digest algorithm - As desired.
   • SPC file path - Enter the fully qualified path to your SPC (Software Publishing Certificate) file, or click the ... (browse) button to browse for its location.
   • PVK storage - Select either Container or Disk file, then fill in the appropriate location of your PVK (Private Key) registry container or file.
   • Timestamp - Check this box to add a timestamp each time you sign a Setup package; clear it to omit the timestamp. The remaining timestamp options probably don't need to be modified.
5. Click OK to save the SignCode settings and close the dialog.

How to sign your Setup package after each build

To sign your Setup package automatically after each successful project build, act as follows.

1. Make sure that you have configured the SignCode options properly (see How to configure the SignCode options above).
2. Open or create the Tarma Installer project for your application's Setup package.
3. Select the Build page by clicking on its bullet in the Navigation Area.
4. Make sure that the Use integrated signing option is selected.
5. Check the Sign after build box on the Build page.
6. Until you clear this box, Tarma Installer will automatically run SignCode at the end of each successful project build, which makes it all but impossible to forget. (Note that this is a per-project setting that applies only to the project in which you checked it.)

How to sign your Setup package on demand

To sign your Setup package at any time, act as follows.

1. Make sure that you have configured the SignCode options properly (see How to configure the SignCode options above).
2. Open or create the Tarma Installer project for your application's Setup package.
3. Select the Build page by clicking on its bullet in the Navigation Area.
4. Make sure that the Use integrated signing option is selected.
5. Click the Sign Now button on the Build page.
6. Tarma Installer will start SignCode just as it would during automatic signing. If you have changed any part of your project since the last build, or if the Setup package hasn't been built yet, you will be prompted for a project build first.