Hi Chris,

You can only code-sign executables. It is not possible to Authenticode code-sign data files. But SetupBuilder has its own fingerprint technology:

Enable Installer Integrity Check—SetupBuilder supports an Archive Fingerprint Verification algorithm. The advantage of this feature is to offer a layer of protection between the creator of an installation file and the recipient. The purpose of fingerprint verification is to help provide detection of tampered, hacked, and incomplete or virus infected installation files. If your installation executable supports fingerprint verification, the recipient knows that the installation file received is the file that was sent. If the installation file has failed the fingerprint verification, the contents are suspect. This option requires that you build a single file setup.exe installation executable or a "Custom (for UAC-aware systems)" Media Type Generator Setting with single .bin volume.

So if you code-sign your executable, the data is 100% safe. The same is true for Web Updates. You code-sign the main executable and all cluster files have their own fingerprint verification.