Using an MSI Custom Action to install a certificate.

This process can be used to silently install device drivers via an msi that have not been signed by a trusted resource. If you followed my previous post "Driver Signing" http://apppackager.blogspot.com/2011/07/driver-signing.html you are now able to sign a driver and produce the certificate ready to be installed via an MSI. Following the previous details you will need the following files:

• BovisTech.cer
• certmgr.exe

Open your MSI driver package that you previously created in the post "Create a MSI driver package with Wise " http://apppackager.blogspot.com/2011/07/create-msi-driver-package-with-wise.html These two previous posts worked through the process of creating a certificate and signing some drivers then creating an MSI package that would install these drivers. To enable the silent install of the drivers so that the following message is not displayed during install we need to modify the MSI driver package to install a custom action to install the required certificate before the package is installed.

Open your driver package and add the following 2 files to your package, these should be installed into the INSTALLDIR.

• BovisTech.cer
• certmgr.exe

Save and compile your package. The custom actions that we require to install the certificate will run the commands:

Certmgr.exe -add "[INSTALLDIR]BovisTech.cer" -s -r localMachine TRUSTEDPUBLISHER

Certmgr.exe -add "[INSTALLDIR]BovisTech.cer" -s -r localMachine ROOT As these are a custom certificates that are associated with the package we are producing we will also remove these certificates when we uninstall the package using the following custom action commands:

certmgr.exe -del -c -n "BovisTech" -s -r localMachine ROOT Certmgr.exe -del -c -n "BovisTech" -s -r localMachine TRUSTEDPUBLISHER

The custom actions will run in "Deferred Execution - System Context" with "Synchronous, Ignore Exit code" processing. We need to ignore the exit code in the event that the certificate has previously been installed and so would throw an error (this should never happen as the certificate will always be removed upon uninstall) I find adding custom actions easiest within "Orca" although you may prefer to use a packaging product to do this such as Wise or installShield. Add the custom Actions to the CustomAction table:



Add the Install Custom actions into the "InstallExecuteSequence" just after the BindImage action, sequence id 4406 and 4407 with a Condition of "NOT Installed AND NOT PATCH"



Add the Uninstall Custom Actions into the "InstallExecuteSequence" just after the "SelfUnregModules" action, Sequence id 2201 and 2202 with a condition of "REMOVE"



Finally before we can test our package we must move the "MsiProcessDrivers" Action so that the drivers are installed after our certificates are installed.



Save the package and Install the MSI, you will know if you have successfully installed the package as you will not receive the prompt to verify the publisher. You can confirm that the certificates are installed by opening "Internet Explorer" and navigating to "Tools | Internet Options" and clicking on the "Certificates" option.



You can also confirm that the uninstall works correctly as the installed certificates will be removed.