I just created an msi installer for an application that i will distribute from my website. I digitally signed the msi using openSSL. Now my question is: how do I package the msi so that it can be installed on users' computers? Should I send the user the certificate I created by email so he can run the msi? Which is the preferred procedure for doing things in this case?
It really depends on what you're trying to accomplish by signing the MSI. If you just want to allow it to install, you're already done; Windows doesn't disallow the installation of unsigned MSI files. If you're trying to get a green UAC prompt, then the signing certificate needs to be verifiable. This can be done by purchasing the certificate appropriately, or by installing a self-signed certificate or its root on each target machine. (The latter is common within enterprises for items the enterprise itself has signed.)
If you're trying to actually ensure safety, however, you quickly encounter a chicken-and-egg problem. A file signed with a certificate issued to X is supposed to confirm the bits came from X, and allow a user to decide if X is trustworthy. Part of this requires knowing nobody else could have used a certificate claiming to have been issued to X. If you are using a self-signed certificate, or one issued by a self-signed root, there is no built-in chain of identity validation. (It's no longer Morgan's child's roommate; instead it's just someone's roommate.)
How do you safely get the identifying information, such as the root certificate, to the user? How can they be sure it wasn't a malicious version that trusts the fake X? (How do you introduce Morgan when nobody knows him, without getting some fellow Murphy who just calls himself Morgan?) Outside of the enterprise scenario I alluded to above, or ways that start with a paid certificate, I'm not aware of any good ways.