INFO: Digital Signature Support in Windows Installer 2.0 (304111)

MORE INFORMATION

Digital signature support allows a package author or administrator to be sure that the proper files are used during an installation and that those files are not corrupted. It does not provide the ability for a package to automatically be run with elevated permissions. For additional information on how to run an .msi package with elevated permissions, click the article number below to view the article in the Microsoft Knowledge Base: Windows Installer 2.0 can only verify the digital signatures of cabinet files that are external to the .msi file. The verification of the digital signatures is accomplished through the use of the MsiDigitalSignature and MsiDigitalCertificate tables. There is no need to sign internal cabinet files because they are considered part of the .msi file. By signing the MSI file, you have signed any internal cabinet files and binary streams.

If an administrative installation is run, the digital signature is removed from the .msi package. In this case, the administrator can re-sign the .msi package on the network share.

Applying a patch to an administrative installation also removes the digital signature. The administrator can resign the .msi package in this scenario as well.