Skip to main content

    How to Sign an MSI or MSIX Installer (Step by Step)

    Sign MSI and MSIX installers with SignTool: exact commands, the single-signature MSI rule, the MSIX publisher-match rule, and fixes for common signing errors.

    MS
    My-SSL Security Team
    ·
    12 min read
    ·
    Published July 8, 2026
    ·
    Last updated July 8, 2026

    In short

    MSI and MSIX installers are signed with the same command as an EXE: signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a Setup.msi. Two format rules catch people out: an MSI holds exactly one signature (the /as append flag fails on it), and an MSIX only installs when the Publisher in its manifest matches your certificate's subject character for character. Sign the binaries inside the package first, then the package itself, and check the result with signtool verify /pa /v.

    Most people arrive at installer signing straight from signing their first EXE, expecting a copy-paste job. It nearly is — same tool, same certificate, same flags. The failures come from what's different about the containers: MSI packages that refuse a second signature, MSIX packages that reject a technically valid certificate over a one-comma difference in the publisher name, and setup bundles that hide a second file needing its own signature. This guide covers the commands for each format and the rules behind those failures, so the first signed build is also the last one you have to debug.

    What's different about signing an installer

    The command is the same one you'd run on an EXE — signtool sign with /fd SHA256, a timestamp, and your certificate. What changes is the container: an MSI stores exactly one signature and loses it if the package is modified afterwards, an MSIX refuses to install without a valid signature, and bundle-style setup.exe files carry an embedded engine that needs signing separately.

    Signing rules for each Windows installer formatComparison panel with four rows. A setup EXE from NSIS or Inno Setup signs like any executable and allows multiple signatures. An MSI accepts exactly one signature, so the append flag fails. An MSIX requires a signature to install at all, and its manifest publisher must match the certificate subject — this row is highlighted. A WiX bundle needs two signatures: the embedded engine first, then the outer bundle.One rule per formatsetup.exeNSIS, Inno SetupA normal Windows executable — sign it like any EXE.Multiple signatures allowed (/as works)..msiWindows InstallerExactly one signature per file — /as fails with a format error.Any later change to the package (even msiexec /a) breaks the signature..msixmodern packagingNo signature, no install — and the manifest Publisher must matchthe certificate subject exactly.bundle .exeWiX BurnTwo signatures needed: detach and sign the Burn engine first,reattach it, then sign the outer bundle.
    The command barely changes between formats — the container rules are what decide whether your first attempt succeeds.

    Everything this guide assumes about the basics — installing SignTool from the Windows SDK, the mandatory /fd SHA256 flag, picking a certificate with /a, /n, or /sha1 — is covered step by step in our EXE signing guide. Start there if SignTool isn't on your machine yet; this article picks up where that one ends, at the point where the file you're signing is a package rather than a program.

    Why installers deserve the extra care: they're the file users actually download, so they're what SmartScreen evaluates at download time and what the UAC consent prompt describes during an elevated install. A signed MSI puts your organization's name on that prompt. An unsigned one shows "Unknown Publisher" — to someone deciding whether to click Yes on software that's about to modify their system.

    Sign from the inside out

    Sign the files that go into the installer first — the application EXE and its DLLs — then build the package, then sign the package itself as the last build step. An installer's signature covers only the container: Windows does not treat the files inside as signed just because the MSI around them was.

    The inside-out signing order for installersFlow in four steps: first sign the application binaries, the EXE and DLL files; second, build the MSI or MSIX package from those signed files; third, sign the package itself — this step is highlighted; fourth, ship it. At install time Windows reads the outer signature, and after installation it reads the inner ones.Sign from the inside out1. Sign the binariesapp EXE + DLLsbefore packaging2. Build the packageMSI / MSIX / bundlefrom signed files3. Sign the packagelast build step —nothing changes after4. Ship itUAC + SmartScreenread the signatureAt install time Windows checks the package signature. After installation, each fileon disk is judged by its own signature — the installer's no longer applies.
    Rebuilding the package invalidates its signature, so the package signature always comes last — one reason signing belongs at the end of the build pipeline.

    The order matters in both directions. Packaging unsigned binaries means that after installation, every trust decision about your application — SmartScreen on first launch, antivirus heuristics, AppLocker rules — happens against unsigned files. And signing the package before the build is final wastes a signature: any rebuild, patch, or post-processing step changes the file's bytes and invalidates it. In an automated pipeline both signing passes typically live in the same job; our CI/CD signing guide covers how to wire that up without exposing the key.

    Signing an MSI with SignTool

    One command signs an MSI: signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a Setup.msi. SignTool recognizes the Windows Installer format on its own, so nothing MSI-specific gets added. The format brings two rules of its own: one signature per file, and no modifications afterwards — the signature is computed over the package bytes and any change breaks it.

    Sign an MSI package
    signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a Setup.msi
    
    # Several certificates installed? Select by subject name:
    signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 ^
      /n "Your Company Name" Setup.msi
    
    # Verify the result:
    signtool verify /pa /v Setup.msi

    If you don't have the certificate yet, any publicly trusted code signing certificate handles MSI and MSIX the same way it handles an EXE — the Certum certificates My-SSL sells work with every command on this page, standard and EV alike. Since June 1, 2023, the private key ships on certified hardware, so expect the token PIN prompt during signing.

    One signature only

    The /as append flag — routine for dual-signing EXE files — fails on an MSI with "Multiple signature support is not implemented for this filetype." If your packaging tool dual-signs by default, turn that off for MSI output and sign once with SHA-256. There's no practical loss: SHA-1 signatures stopped being useful years ago.

    The no-modification rule has one consequence worth knowing before it surprises you: an administrative install ( msiexec /a) rewrites the package while extracting it, which strips the signature from the resulting MSI. That's documented Windows Installer behavior. If your enterprise customers deploy from administrative images, they're deploying an unsigned package unless you re-sign it — worth a line in your deployment notes.

    Signing an MSIX package

    MSIX makes signing mandatory: Windows will not install an unsigned package, even silently. The command is the familiar signtool sign /fd SHA256, with one extra rule — the Publisher value in the package's AppxManifest.xml must match your certificate's subject name character for character, including the order of the name's parts. A mismatch fails with error 0x8007000B.

    The MSIX publisher-match rule, shown with a pass and a failTwo comparisons. In the passing case, the Publisher attribute in AppxManifest.xml reads CN equals Example Software, O equals Example Sp. z o.o., C equals PL, and the certificate subject reads exactly the same, so signing succeeds. In the failing case the same name parts appear in a different order, and SignTool fails with error 0x8007000B.MSIX: manifest Publisher vs certificate subjectMatch — signing succeedsAppxManifest.xml → Identity Publisher="CN=Example Software, O=Example, C=PL"Certificate → Subject:CN=Example Software, O=Example, C=PL=Same parts, different order — fails with 0x8007000BAppxManifest.xml → Identity Publisher="CN=Example Software, O=Example, C=PL"Certificate → Subject:O=Example, CN=Example Software, C=PLThe comparison is literal: every name part, in the same order, with the same punctuation.
    Copy the subject line out of your certificate and paste it into the manifest's Publisher attribute — retyping it is how the order-swap bug happens.
    Sign an MSIX package
    signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a MyApp.msix
    
    # The /fd value must match the block map's hash method —
    # SHA256 is the MakeAppx default, so /fd SHA256 is almost always right.

    When the publisher check fails, SignTool's own error is unhelpfully generic. The specific complaint lands in Event Viewer under Applications and Services Logs → Microsoft → Windows → AppxPackagingOM → Operational, where the event spells out both strings so you can see exactly where they diverge. The reliable fix is mechanical: open your certificate, copy the full subject line, and paste it into the manifest's Publisher attribute. Hand-typing it — or letting two tools format the same name differently — is how the mismatch usually gets in.

    Two deployment notes. Signed MSIX packages from outside the Microsoft Store install by double-click on current Windows — sideloading has been enabled by default since Windows 10 version 2004 — as long as the signing certificate chains to a root the device trusts, which is exactly what a publicly trusted code signing certificate gives you. And if you distribute only through the Store, Microsoft re-signs your package during onboarding, so the publisher-match rule applies to your Store identity rather than your own certificate.

    Setup.exe installers: Inno Setup, NSIS, and WiX bundles

    A setup.exe built by NSIS or Inno Setup is a normal Windows executable, signed exactly like any EXE. WiX Burn bundles are the exception: the bundle carries an embedded engine that must be detached, signed, and reattached before the outer file is signed — skip it, and repair or uninstall runs an unsigned binary.

    • NSIS. The output is a plain PE executable. Sign it after the build with the standard command, timestamps and all. Nothing installer-specific applies.
    • Inno Setup. Same story, with a convenience: the SignTool directive in the [Setup] section runs your signing command during compilation, so the installer and the uninstaller it embeds both come out signed. Configure it once and the build handles signing from then on.
    • WiX Burn bundles. The bundle extracts its engine to disk for repair and uninstall operations, so the engine needs its own signature. The sequence: detach the engine ( wix burn detach in WiX v4 and later, insignia -ib in v3), sign it, reattach it, then sign the completed bundle. WiX's MSBuild integration can drive all four steps through the SignBundleEngine and SignBundle targets.
    Sign a WiX v4+ bundle (engine first, then the bundle)
    wix burn detach Bundle.exe -engine engine.exe
    signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a engine.exe
    wix burn reattach Bundle.exe -engine engine.exe -o Bundle.exe
    signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a Bundle.exe

    Bundles usually wrap one or more MSI packages, and those follow the MSI rules from the previous section — sign them before they're compiled into the bundle. A fully signed WiX chain therefore carries at least four signatures: binaries, MSI, engine, bundle.

    Verify before you ship

    Run signtool verify /pa /v against the finished installer and check three things in the output: the certificate chain resolves, the "Issued to" name is your organization, and the signature carries a timestamp. Then do one real elevated install on a clean machine and read the consent prompt — it should name your organization as the verified publisher.

    Verify the signed installer
    signtool verify /pa /v Setup.msi
    
    # Look for:
    #   Issued to: Your Company Name
    #   The signature is timestamped: <date and time>
    #   Successfully verified: Setup.msi

    The /pa flag matters: it applies the standard Authenticode policy instead of the stricter driver policy SignTool defaults to, which misreports perfectly good signatures. The timestamp line matters even more — without it, the installer stops verifying the day your certificate expires, and installers outlive certificates by years. The mechanics are covered in our timestamping explainer.

    One expectation to calibrate: a valid signature doesn't silence Microsoft SmartScreen by itself. A downloaded installer from a certificate with no track record can still show "Windows protected your PC" until reputation accumulates — how that scoring works, and how to speed it up, is the subject of our SmartScreen reputation guide. The signature's job is making sure the reputation you earn sticks to your name.

    Common installer signing errors and fixes

    Installer signing fails in format-specific ways: the append flag /as errors out on MSI files, MSIX rejects packages over a publisher mismatch, administrative installs silently strip MSI signatures, and a correctly signed installer can still trip SmartScreen while your certificate builds reputation. Match your error below.

    "Multiple signature support is not implemented for this filetype"

    You ran /as against an MSI, or your build tool tried to dual-sign one. MSI files take a single signature. Remove the append step for MSI outputs and sign once with /fd SHA256. If the file was already signed and you need to replace the signature, just sign again without /as — the new signature replaces the old one.

    MSIX signing fails with 0x8007000B

    The manifest's Publisher and the certificate's subject don't match exactly. Open Event Viewer → Applications and Services Logs → Microsoft → Windows → AppxPackagingOM → Operational to see both strings side by side, then copy the certificate's subject line into the manifest's Publisher attribute verbatim and rebuild the package. Field order counts, punctuation counts, and extra fields (like an email address in the subject) count too.

    The MSI verified yesterday, but today it reports no signature

    Something modified the package after signing. The usual suspects: an administrative install created this copy ( msiexec /a strips signatures by design), a post-build step patched properties into the MSI, or the file went through a tool that re-saved it. Re-run signing as the genuinely final step, and if you publish administrative images, sign those separately.

    "No certificates were found that met all the given criteria"

    Not an installer problem — SignTool can't see your certificate. The token is unplugged, its middleware isn't installed, or you're running as a different user than the one whose store holds the certificate. The EXE guide's troubleshooting section walks through the diagnosis with signtool sign /debug.

    Frequently Asked Questions

    Get instant answers to common questions about SSL certificates and our services.

    Still Have Questions?

    Our SSL experts are available 24/7 to help with any questions about certificates, installation, or technical issues.

    The bottom line

    Sign the binaries, build the package, sign the package — with signtool sign /fd SHA256 /tr http://time.certum.pl /td SHA256 /a doing the work at both layers. Respect the two container rules (one signature per MSI, exact publisher match for MSIX) and verify with /pa /v before anything ships. If the missing piece is the certificate itself, My-SSL carries Certum code signing certificates from $99/year, and the document checklist shows what validation will ask for.