When adding a digital signature in the Advanced installer, if you specify the "Built In" sign tool, you can
- Choose your certificate file from your source code.
- Specify the password and it be stored encrypted in the project file.
However, is there a way of doing these when using the Custom signing tool. All I can find is where you can specify the location of the signing tool (from your source code) and some command line arguments.
However, the only way I can get it to work is to
- Hardcode the location of the certificate file. (i.e. absolute path in Windows file system)
- Specify the password in plain text on the command line.
I can't seem to specify the file name relative to the location of the source code, I have tried just putting it in the same location as the signtool exe hoping that that would be the working directory, as well as specifying the path to the file within my code (since that's how it displays the file in the "Built In" options), but neither of these work.
... and having the password in the command line for all to see just strikes me as insecure - especially considering the option to mask / encrypt it is provided in the "Built In" options.
When using the "Custom" option, the only available options are through the signtool.exe command line.
You should be able to pass the password through the "/p" parameter, as described in the Microsoft documentation for signtool.exe:
https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe
The password should only be visible in the project which only you would use anyway.