Signing Installers You Create with Inno Setup
You can configure Inno Setup to sign all of the installers you create. This removes the need to sign them manually after the fact.
Remember that you still need to sign your LiveCode executable prior to building the installer, however.
Configure Sign Tools
Select Configure Sign Tools... from the Tools menu.
Add A Tool
Name the Tool
Give the tool a name. This is the name you will use when referring to the tool in your installer scripts. I named mine signtool because I'm using signtool.exe.
Assign the Command Line Parameters
Paste in the text you use to sign your executables from the command line. Replace the name of the file to sign with $f. Inno Setup will replace the $f variable with the file that is being signed.
Example:
"C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2\Bin\signtool.exe" sign /f "C:\MY_CODE_SIGNING.PFX" /t http://timestamp.comodoca.com/authenticode /p MY_PASSWORD $f
After clicking OK you are done configuring the sign tool.
Update Your [Setup] Section
Add the following script to your [Setup] section to use the sign tool you just configured. This assumes you named your tool signtool.
SignTool=signtool![Update Your [Setup] Section](https://media.screensteps.com/image_assets/assets/006/889/907/original/2E8BCF11-3470-4CC9-840E-52EBC347AEC4.png)
The Result
Now when you build your installers they will be signed.
Carlos Ramirez
Hello,
Excellent very explicative. For Visual Studio 12 the signtool is located here: "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe"
Thanks
Andy
Very clear and helpful, I have no idea how anyone would be expected to figure it out without this level of help!
Michael Sarahan
Thanks, this was very helpful. For people using command line tools, see this other helpful post, too: http://doughennig.blogspot.com/2009/11/executable-signing-with-inno-setup.html
Sanchi
So the signtool.exe would lie in "Program Files" for x86 machines and "Program Files (x86)" for x64 machines. So this might fail the signing
Jaime
Very useful and straightforward.
Dieter Woellner
Near to getting nuts when trying via Innosetup help I found your article. Saved my head ;o)!
chris
I have tryed this in wondiws 10 cna not et it to work i installed the sdk the singtool is located in C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe inno complie fails with
Sign Tool command failed (Failed to execute Sign Tool command.
Error 5: Access is denied). Will retry (2 tries left).
Trevor DeVore
@chris - that sounds like a permissions issue. A google search for "signtool.exe Error 5: Access is denied" turned up this:
https://github.com/javafx-maven-plugin/javafx-maven-plugin/issues/286
There was a folder permissions problem in that particular case and signtool.exe update the file. I would start by looking at permissions on the files you are trying to modify.
Claude
run the signtool command as shown in this guide, from the command line, but replace $f with some other file. I recommend adding /debug after the sign parameter. But more importantly, Win SDK 10 and up require to add (also after "sign") the following parameter /fd SHA256
Without it, the tool would fail. Another gotcha is to make sure the certificate was created with code signing usage. If not, the tool won't use it for signing code.
Brigitte Lechermeyer
I sign VBA-Code. I'm using in Word -> developer -> VisualBasic
Here I go to Tools -> Digital Signature
What do I have to use as "Command for the sing tool?" in this case?
Thanks for help