How to remove digital signature from an MSI installer?

Question

I can't seem to find a way to remove a digital signature from an .msi file that was previously added to it by the signtool.

Any idea how to do this?

Answer 1

Was in a similar situation: I customized a vendor-supplied MSI file, which invalidated the original digital signature. I then needed to remove (delete entirely, rather than replace) that signature, so that my users would not get errors when downloading and running the file on Windows 10.

Tried InstallShield, XML2MSI, msidb and an array of different MSI editors to no avail. What ultimately worked for me was to remove the digital signature stream (in my case it was called "[5]DigitalSignature") from the MSI Compound File using an editor.

Personally, I used MiTeC's Structured Storage Viewer to do this, but other tools may work for you.

Note: the SSV displayed garbage for some of the stream names in my MSI, but still worked correctly.

Answer 2

Performing an administrative installation removes the digital signature from the package. An administrative installation modifies the installation package in order to add the AdminProperties stream, which would invalidate the original digital signature. An administrator can resign the package.