I have a NSIS script that I use to generate an installer for Microsoft Windows operating system. Installer is currently working from Windows XP and beyond.
However I would like to sign it in order to avoid the final user get the warning message before starting the installation. I know it is possible and there are several posts in stack overflow about using sign tool command.
What I have not found are:
thanks
NSIS:
!finalize 'sign.bat "%1"' ; %1 inside the batch file is the .exe to sign
!uninstfinalize 'sign.bat "%1"'
What you put in sign.bat depends on your toolchain. If you are using the Windows SDK it would be Signtool.
Before you can do any of this you have to pick a certificate authority that lets you Authenticode sign (incomplete list here) with a timestamp server. Ideally you would sign with both SHA256 and SHA1.
if you want to integrate into the Windows Error Reporting (WER) service, you should consider using VeriSign to issue the certificate, because accessing the WER database requires a WinQual account which requires a VeriSign ID.