>We are doing the app.exe Code Signing in the Initialize Setup section.

I have a separate script to only code-sign all EXE of our suite.

After that I send them to VirusTotal.com, select the Hashes and the URLs and
store them in a text-file. This text-file now gets added to the base-folder of
the installation, so every Admin can inspect the hashes and compare with the
installed files.

And now I compile everything together.

There is another benefit: Sometimes code-signing fails, due to problems of
connectitivity of the signing server. Then the script fails. Since the
Installer has grown now to some 100 MB and I have to make different versions of
the installer (different countries with different datasets, complete-version /
update/version - a total of 8 different installer) one after the other, its
annoying when I have to restart, just because one connection didn't work.

And I need one EXE code-signed only once!

So, consider to separate the code-signing process of the distributed binaries
from the installer itself.

Just my experience in my specific scenario
Wolfgang


Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.