How to create precofigured installer (MSI or EXE) with valid signature?

Question

We want our users to download preconfigured installers of our software for Windows. Pre-configured data consists of settings based on user account data. The customization is to be done in a Java server running on Linux. We need to have those installers digitally signed. Unfortunately we cannot have private signing key on those servers, due to security policy.

Can you think of ways to put some metadata into either MSI or EXE while preserving digital signature or other approaches to fulfill the use case?

EDIT: The requirement is to have a single file download, so unfortunately parallel ini file doesn't fulfill it. It is mostly about providing a set of connection points (specific to a user) - we are not to bother a user as we already know them.

Answer 1

No, what you ask for is impossible. You can't modify a file without invalidating it's signature. That's the whole point of signing. You also can't sign a file without having the private key to perform the signing.

Answer 2

I believe Chris is right. However, in the interest of providing a useful starting point for further investigation, here are some thoughts:

Though it is perhaps a questionable design, you could generate an email with the config information on the server and send it to the user so they can automatically kick off the signed installer from your web site with the appropriate settings set in properties by simply clicking a link in an email. I have never tried this, but the MSI SDK does discuss it: A URL-Based Windows Installer Installation Example and Authoring a Fully Verified Signed Installation.

I guess you can also generate an INI file sent by email that can be put next to the signed MSI and the MSI can be designed to read the INI file during installation and apply the settings. You would add a launch condition to require this INI.

If you wrap a config file with a signed MSI in an unsigned self-extractor, I think you eliminate almost all benefits from the signing process. I doubt it helps, but it should be possible to sign an external cab file consumed by an unsigned MSI. Again, I have not tried this, so I just guessing. I am not sure what happens if that MSI is post processed after signing of the cab either. Security-wise I think this approach is sort of nonsense too - few benefits remain.