A digital signature can be used to verify the identity of the vendor of an installation file, and to verify that the file hasn't been tampered with since it was signed. To digitally sign an installation file requires a private key and a public key certificate, which must previously have been created using the Certificate Generator. The process is:
Create a private key and a self signed certificate using the Certificate Generator. If verification of the sender's identity is not important, then skip to step 4.
Create a certificate request using the Certificate Generator, specifying the private key and self-signed certificate created in step 1.
Send the certificate request to the Certificate Authority, and get back the authenticated digital certificate.
Create the .pkg
file.
Invoke MakeSIS on the package file.
Sign the the installation file using SignSIS, specifying as command line arguments the private key used to create the digital signature, and the public key certificate to be used to decrypt it— for secure installation this should be an authenticated digital certificate, however a self-signed certificate may be used.
Note that CreateSIS can alternatively be used to wrap up steps 5 and 6.