In short
MSI and MSIX installers are signed with the same command as an EXE: signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a Setup.msi. Two format rules catch people out: an MSI holds exactly one signature (the /as append flag fails on it), and an MSIX only installs when the Publisher in its manifest matches your certificate's subject character for character. Sign the binaries inside the package first, then the package itself, and check the result with signtool verify /pa /v.
Most people arrive at installer signing straight from signing their first EXE, expecting a copy-paste job. It nearly is — same tool, same certificate, same flags. The failures come from what's different about the containers: MSI packages that refuse a second signature, MSIX packages that reject a technically valid certificate over a one-comma difference in the publisher name, and setup bundles that hide a second file needing its own signature. This guide covers the commands for each format and the rules behind those failures, so the first signed build is also the last one you have to debug.
What's different about signing an installer
The command is the same one you'd run on an EXE — signtool sign with /fd SHA256, a timestamp, and your certificate. What changes is the container: an MSI stores exactly one signature and loses it if the package is modified afterwards, an MSIX refuses to install without a valid signature, and bundle-style setup.exe files carry an embedded engine that needs signing separately.
Everything this guide assumes about the basics — installing SignTool from the Windows SDK, the mandatory /fd SHA256 flag, picking a certificate with /a, /n, or /sha1 — is covered step by step in our EXE signing guide. Start there if SignTool isn't on your machine yet; this article picks up where that one ends, at the point where the file you're signing is a package rather than a program.
Why installers deserve the extra care: they're the file users actually download, so they're what SmartScreen evaluates at download time and what the UAC consent prompt describes during an elevated install. A signed MSI puts your organization's name on that prompt. An unsigned one shows "Unknown Publisher" — to someone deciding whether to click Yes on software that's about to modify their system.
Sign from the inside out
Sign the files that go into the installer first — the application EXE and its DLLs — then build the package, then sign the package itself as the last build step. An installer's signature covers only the container: Windows does not treat the files inside as signed just because the MSI around them was.
The order matters in both directions. Packaging unsigned binaries means that after installation, every trust decision about your application — SmartScreen on first launch, antivirus heuristics, AppLocker rules — happens against unsigned files. And signing the package before the build is final wastes a signature: any rebuild, patch, or post-processing step changes the file's bytes and invalidates it. In an automated pipeline both signing passes typically live in the same job; our CI/CD signing guide covers how to wire that up without exposing the key.
Signing an MSI with SignTool
One command signs an MSI: signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a Setup.msi. SignTool recognizes the Windows Installer format on its own, so nothing MSI-specific gets added. The format brings two rules of its own: one signature per file, and no modifications afterwards — the signature is computed over the package bytes and any change breaks it.
signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a Setup.msi
# Several certificates installed? Select by subject name:
signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 ^
/n "Your Company Name" Setup.msi
# Verify the result:
signtool verify /pa /v Setup.msiIf you don't have the certificate yet, any publicly trusted code signing certificate handles MSI and MSIX the same way it handles an EXE — the Certum certificates My-SSL sells work with every command on this page, standard and EV alike. Since June 1, 2023, the private key ships on certified hardware, so expect the token PIN prompt during signing.
One signature only
The /as append flag — routine for dual-signing EXE files — fails on an MSI with "Multiple signature support is not implemented for this filetype." If your packaging tool dual-signs by default, turn that off for MSI output and sign once with SHA-256. There's no practical loss: SHA-1 signatures stopped being useful years ago.
The no-modification rule has one consequence worth knowing before it surprises you: an administrative install ( msiexec /a) rewrites the package while extracting it, which strips the signature from the resulting MSI. That's documented Windows Installer behavior. If your enterprise customers deploy from administrative images, they're deploying an unsigned package unless you re-sign it — worth a line in your deployment notes.
Signing an MSIX package
MSIX makes signing mandatory: Windows will not install an unsigned package, even silently. The command is the familiar signtool sign /fd SHA256, with one extra rule — the Publisher value in the package's AppxManifest.xml must match your certificate's subject name character for character, including the order of the name's parts. A mismatch fails with error 0x8007000B.
signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a MyApp.msix
# The /fd value must match the block map's hash method —
# SHA256 is the MakeAppx default, so /fd SHA256 is almost always right.When the publisher check fails, SignTool's own error is unhelpfully generic. The specific complaint lands in Event Viewer under Applications and Services Logs → Microsoft → Windows → AppxPackagingOM → Operational, where the event spells out both strings so you can see exactly where they diverge. The reliable fix is mechanical: open your certificate, copy the full subject line, and paste it into the manifest's Publisher attribute. Hand-typing it — or letting two tools format the same name differently — is how the mismatch usually gets in.
Two deployment notes. Signed MSIX packages from outside the Microsoft Store install by double-click on current Windows — sideloading has been enabled by default since Windows 10 version 2004 — as long as the signing certificate chains to a root the device trusts, which is exactly what a publicly trusted code signing certificate gives you. And if you distribute only through the Store, Microsoft re-signs your package during onboarding, so the publisher-match rule applies to your Store identity rather than your own certificate.
Setup.exe installers: Inno Setup, NSIS, and WiX bundles
A setup.exe built by NSIS or Inno Setup is a normal Windows executable, signed exactly like any EXE. WiX Burn bundles are the exception: the bundle carries an embedded engine that must be detached, signed, and reattached before the outer file is signed — skip it, and repair or uninstall runs an unsigned binary.
- NSIS. The output is a plain PE executable. Sign it after the build with the standard command, timestamps and all. Nothing installer-specific applies.
- Inno Setup. Same story, with a convenience: the
SignTooldirective in the[Setup]section runs your signing command during compilation, so the installer and the uninstaller it embeds both come out signed. Configure it once and the build handles signing from then on. - WiX Burn bundles. The bundle extracts its engine to disk for repair and uninstall operations, so the engine needs its own signature. The sequence: detach the engine (
wix burn detachin WiX v4 and later,insignia -ibin v3), sign it, reattach it, then sign the completed bundle. WiX's MSBuild integration can drive all four steps through theSignBundleEngineandSignBundletargets.
wix burn detach Bundle.exe -engine engine.exe
signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a engine.exe
wix burn reattach Bundle.exe -engine engine.exe -o Bundle.exe
signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a Bundle.exeBundles usually wrap one or more MSI packages, and those follow the MSI rules from the previous section — sign them before they're compiled into the bundle. A fully signed WiX chain therefore carries at least four signatures: binaries, MSI, engine, bundle.
Verify before you ship
Run signtool verify /pa /v against the finished installer and check three things in the output: the certificate chain resolves, the "Issued to" name is your organization, and the signature carries a timestamp. Then do one real elevated install on a clean machine and read the consent prompt — it should name your organization as the verified publisher.
signtool verify /pa /v Setup.msi
# Look for:
# Issued to: Your Company Name
# The signature is timestamped: <date and time>
# Successfully verified: Setup.msiThe /pa flag matters: it applies the standard Authenticode policy instead of the stricter driver policy SignTool defaults to, which misreports perfectly good signatures. The timestamp line matters even more — without it, the installer stops verifying the day your certificate expires, and installers outlive certificates by years. The mechanics are covered in our timestamping explainer.
One expectation to calibrate: a valid signature doesn't silence Microsoft SmartScreen by itself. A downloaded installer from a certificate with no track record can still show "Windows protected your PC" until reputation accumulates — how that scoring works, and how to speed it up, is the subject of our SmartScreen reputation guide. The signature's job is making sure the reputation you earn sticks to your name.
Common installer signing errors and fixes
Installer signing fails in format-specific ways: the append flag /as errors out on MSI files, MSIX rejects packages over a publisher mismatch, administrative installs silently strip MSI signatures, and a correctly signed installer can still trip SmartScreen while your certificate builds reputation. Match your error below.
"Multiple signature support is not implemented for this filetype"
You ran /as against an MSI, or your build tool tried to dual-sign one. MSI files take a single signature. Remove the append step for MSI outputs and sign once with /fd SHA256. If the file was already signed and you need to replace the signature, just sign again without /as — the new signature replaces the old one.
MSIX signing fails with 0x8007000B
The manifest's Publisher and the certificate's subject don't match exactly. Open Event Viewer → Applications and Services Logs → Microsoft → Windows → AppxPackagingOM → Operational to see both strings side by side, then copy the certificate's subject line into the manifest's Publisher attribute verbatim and rebuild the package. Field order counts, punctuation counts, and extra fields (like an email address in the subject) count too.
The MSI verified yesterday, but today it reports no signature
Something modified the package after signing. The usual suspects: an administrative install created this copy ( msiexec /a strips signatures by design), a post-build step patched properties into the MSI, or the file went through a tool that re-saved it. Re-run signing as the genuinely final step, and if you publish administrative images, sign those separately.
"No certificates were found that met all the given criteria"
Not an installer problem — SignTool can't see your certificate. The token is unplugged, its middleware isn't installed, or you're running as a different user than the one whose store holds the certificate. The EXE guide's troubleshooting section walks through the diagnosis with signtool sign /debug.
The bottom line
Sign the binaries, build the package, sign the package — with signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a doing the work at both layers. Respect the two container rules (one signature per MSI, exact publisher match for MSIX) and verify with /pa /v before anything ships. If the missing piece is the certificate itself, My-SSL carries Certum code signing certificates from $99/year, and the document checklist shows what validation will ask for.