"Superfreak3" <Matt.Walker@synergis.com> wrote in message
> We just received our digital certificate and it appears that it has
> been added or applied to our all inclusive .msi installation package
> file accordingly. We now get the friendlier UAC prompt listing the
> app, company, etc.
> Now, what I would like to do is populate the msiPatchCertificate table
> as a precursor requirement for credential free patching. However,
> this seems to be dependent upon an entry in the msiDigitalCertificate
> table. Even though my base install seems to be functioning properly
> after application of the signature, there is nothing in my test
> package's msiDigitalCertificate table.
> I thought I read somewhere that this table is only populated if
> external .cab files are signed. If this is correct, we have no
> external .cab's as its only the all inclusive .msi.
> How can I populate the msiPatchCertificate table if the above is
> correct? Would somthing have to be added to the msiDigitalCertificate
> table as well. I wouldn't mind populating the information manually.
> I would just hope it would be held with subsequent compiles of our
> installation via Wise for Windows Installer.
> Any help greatly appreciated!
Signing of the MSI itself and the population of rows in the various MSI
digital signature related tables in the file itself are independent from one
The final steps to get you going are:
1. Add a new row into the MsiDigitalCertificate table like:
Get <object> by running certmgr.msc and exporting your code signing
certificate (DER encoded binary X.509 .cer is format works) to a file. This
<object> is your certificate file and will be streamed into the table during
your MSI build process -- likely Wise will have dialog related to this
table. If not it should handle custom tables with binary entries and allow
you to specify a file path for <object>. If not buy another tool
really -- just use orca to add the row manually and then create a transform
that only includes this change. Now apply the MST to your MSI as a postbuild
script using msitran.exe.
2. Now add a row into the MsiPatchCertificate table
This basically tells the installer that any MSP file that is signed using
the certificate referenced by the row VerisignCodeSignYourCompany2007 in the
MsiDigitialCertificate table should be considered trusted and thus allows
you to bypass UAC prompt on Vista+ when running the patch -- even as
Note the names are arbitrary - since the installer doesn't care. But I like
the idea of somehow conveying the certificate provider, company and year the
certificate became active to an administrator.