41

I have just purchased a code signing certificate from Comodo. I have built a small MS Access database that I want to deploy with Inno Setup Installer. The script runs fine but I am completely new to code signing.

How can I go about signing my installation file? Do I need an external software to sign the certificate or can I do it from within Inno Setup?

I have tried to search for answers to similar questions but none was able to show me what I need to get started, and how to go about it.

Paolo Fulgoni
  • 5,208
  • 3
  • 39
  • 55
mtn
  • 468
  • 1
  • 4
  • 7
  • 1
    @TLama Link is dead ( ~blog~ ) this works: http://support.ksoftware.net/support/solutions/articles/17169-how-do-i-automate-code-signing-with-innosetup-and-ksign- – SlowLearner Aug 03 '17 at 04:35
  • @mtn Can you plz check this question https://stackoverflow.com/questions/72709498/innosetup-code-signin-not-applying-for-all-the-files-how-to-fix-that – Prageeth Liyanage Jun 22 '22 at 05:55

3 Answers3

44

What you do is quite simple, try and follow allong

  1. Open Inno Setup and select Tools-> Configure Sign ToolsThe sign tool dialog
  2. Click "Add.." and give it a name, let's call it MsSign as I am using signtool.exe from Microsoft, you should now have something like this enter image description here
  3. You are then asked for the command line of the tool that you use for signing, as I am using signtool.exe I will use

signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a $p

Note the $p at the end, Inno Setup needs this... You should now have this, and note that I have added the path to signtool.exe in my path variables and that I am using DigiCert's time server to time-stamp my signature. enter image description here

  1. In the script, you now add the following code to the setup segment

    SignTool=MsSign $f

this line, tells the compiler to use code signing, it will use the variable I've called MsSign, and will sign the output generated by the setup.

it should look like this enter image description here

When you look at the generated EXE you will see the digital signature enter image description here

Now this works for me because I have prepared my signature store in such a way that the command line can get the signature and I have only one code sign signature so I will not need to name it, your parameters may be different than mine are, and that's okay as long as in the end, your setup works and your code gets signed.

Hope to have helped and remember you need that $p in the variable

Walter Verhoeven
  • 3,867
  • 27
  • 36
  • 1
    signtool comes with the windows drivers installation, see link on point 2, then when you have installed it you can add the location to your profiles Path settings, then log of and log on and you should be able to just call it, else put the path in step 3 – Walter Verhoeven Aug 09 '18 at 18:51
  • set PATH="C:\Program Files (x86)\Windows Kits\10\bin\x64";%PATH% did it for me! thx – Silve2611 Aug 09 '18 at 22:00
  • 1
    You don't actually need to add signtool.exe to PATH. Since it's a tiny executable file (410 KB) with no dependencies, you have the option to copy it to wherever you need it to be found in your build environment, and it will work just as fine as if you had run it from where it's installed on Windows. – Ulysses Alves Jul 13 '19 at 13:17
  • @WalterVerhoeven Can you plz check this question plz. https://stackoverflow.com/questions/72709498/innosetup-code-signin-not-applying-for-all-the-files-how-to-fix-that – Prageeth Liyanage Jun 22 '22 at 05:55
  • @PrageethLiyanage, did my answer help? – Walter Verhoeven Jun 23 '22 at 07:32
  • Is there anyway to automate this process? – unobatbayar Sep 14 '22 at 04:47
  • 1
    @unobatbayar It depends really on what part and the technology, you can make a PowerShell file watcher script and sign any binary in a given directory, that would take care of it regardless what you do or use – Walter Verhoeven Sep 15 '22 at 05:04
23

To sign executable (installer generated by Inno Setup) simply create a batch file (.bat) and put this content into it:

"c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f Installer_Wizard_Code_Signing_Certificate.pfx /p password123 /t http://timestamp.verisign.com/scripts/timstamp.dll MySetupFile.exe

where

"c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" is path to Microsoft signing utility (part of Microsoft SDK)

Installer_Wizard_Code_Signing_Certificate.pfx is your certificate

password123 is password for your certificate

MySetupFile.exe is your setup file you want to sign

Put all files in one directory (certificate, setup to sign, and the batch file) and run the batch file. Signtool signs the file with certificate and checks the validity against official server.

(You can use http://timestamp.verisign.com/scripts/timstamp.dll server although you have Comodo certificate, it does not matter.)

Slappy
  • 5,250
  • 1
  • 23
  • 29
  • 12
    Why don't you suggest internal signing support of Inno Setup ? For the third time, [`here`](http://blog.ksoftware.net/2011/07/how-to-automate-code-signing-with-innosetup-and-ksign/) is a tutorial which describes how to do that. It's from Comodo's reseller, so they should know what they're talking about. – TLama Oct 04 '13 at 07:27
  • 2
    @TLama your answer solves my problem. I followed the instructions and the compilation wen through without any single error. Thanks to everyone and for the guys behind Ksign...it makes everything so simple. – mtn Oct 04 '13 at 09:56
  • 3
    http://revolution.screenstepslive.com/s/revolution/m/10695/l/95041-signing-installers-you-create-with-inno-setup – Michael Fitchett Feb 05 '15 at 00:32
  • 6
    The link that @TLama referred to has changed: http://certhelp.ksoftware.net/support/solutions/articles/17169-how-do-i-automate-code-signing-with-innosetup-and-ksign- – bvanderw Mar 14 '15 at 12:45
  • 2
    My tutorial is independent and does not require any third party software. (I tried TLama's tutorial and did not worked for me so I wrote custom solution). – Slappy Aug 06 '15 at 11:04
  • @ Silve2611: That is true, the question was about signing the Installer. But of course you can use my method to sign uninstaller or even the .dll or any .exe files. – Slappy Aug 30 '18 at 05:56
  • @Slappy can we do this with .cer file as well? – Harish Kumar Apr 23 '21 at 12:06
  • Also @TLama's solution doesn't take into account that people may not want to do the hassle of opening the gui on every build agent to get the signtool to work, much rather just have a script do it because innosetup apparently can't just use a signtool.exe in the same directory and has to add a registry key. – Caperneoignis Nov 01 '22 at 16:21
  • It's **unsecure** to have the PFX password in clear inside a batch. It would be safer to install the PFX in your user's certificates store and then replace `/f Installer_Wizard_Code_Signing_Certificate.pfx /p password123` by `/n "Your Certificate Name"`. If a hacker steels your PFX, then he hasn't got the password. This is **very important**! – Patrick Janser Jun 05 '23 at 09:06
2

Once you download and install signtool.exe from Microsoft, put the full path of the signtool.exe into the command of the sign tool if it is not added to the path variables at step three of the previous answer:

D:\GUI\signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a $p

enter image description here

Max von Hippel
  • 2,856
  • 3
  • 29
  • 46
jonbaker87
  • 31
  • 1