My method is to add the following line in my deployment project PostBuildEvent property (assuming I need to use a certificate stored on a smart card (/a
option) and that the signtool path can't be determined via environment variables):
call "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a /d "$(SolutionName)" /q "$(BuiltOuputPath)"
This will sign the generated MSI, but not the enclosed EXE files. For this, I also add the following lines in the Post-build event of my C# projects (Project > Properties > Build Events):
call "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /a /d "$(SolutionName)" /q "$(TargetDir)$(TargetFileName)" "$(ProjectDir)obj\$(ConfigurationName)\$(TargetFileName)"
Doing so will sign after a successfull build:
- The EXE file builded from my C# project (under
bin
directory) - The EXE file used by my deployment project as "Primary output" (under
obj
directory) - And finally the MSI package
Then, at the end, I don't have any executable file unsigned which is what I was looking for :)