Windows Installer XML (WiX) toolset

Closed for lack of feedback.

What's the benefit of embedding signing, other than saving one step in a
build process?

That's great, but only if you're using "MSBuild" to do your building. If
you're not... :-(

You can customize the MSBuild target "AfterBuild" in the wixproj file.
This is an example, which generates setup.exe and signs the MSI and
setup.exe:

<PropertyGroup>
<Certificate>FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF</Certificate>

<TimeStampUrl>http://timestamp.verisign.com/scripts/timstamp.dll</TimeStampUrl>
<ProductName>My Product</ProductName>
</PropertyGroup>
<ItemGroup>
<BootstrapperFile Include="Microsoft.Windows.Installer.2.0">
<ProductName>Windows Installer 2.0</ProductName>
</BootstrapperFile>
</ItemGroup>
<ItemGroup>
<InstallerToSign Include="$(OutputPath)$(OutputName).msi" />
<SetupToSign Include="$(OutputPath)Setup.exe" />
<InstallerMsi Include="$(OutputName).msi" />
</ItemGroup>
<Target Name="AfterBuild">
<Exec Command="signtool sign /sha1 $(Certificate)
&quot;@(InstallerToSign)&quot;" />
<GenerateBootstrapper ApplicationFile="@(InstallerMsi)"
ApplicationName="$(ProductName)" BootstrapperItems="@(BootstrapperFile)"
ComponentsLocation="Relative" Culture="de" FallbackCulture="de-DE"
CopyComponents="True" Validate="False" OutputPath="$(OutputPath)" />
<SignFile CertificateThumbprint="$(Certificate)"
SigningTarget="@(SetupToSign)" TimestampUrl="$(TimeStampUrl)" />
</Target>