As I discussed a couple of years ago, code signing your executables is important for a variety of reasons. Our installation creation tool of choice is Inno Setup and version 5.2.4 released in March 2009 made it easier to sign the setup executable through the new Signtool directive in the [Setup] section.
This directive works like this (assuming you already have a digital certificate):
- Run the Inno Setup UI and choose Configure Sign Tools in the Tools menu.
- Create a new “sign tool” by clicking Add and specifying a name and the command line to execute your signing application. For example, I created one called “Standard” with the following command line to call Microsoft’s SIGNTOOL.EXE:
"C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool.exe" sign /f CertPath\mycert.pfx /p MyPassword
where CertPath\mycert.pfx is the name and location of the PFX file and MyPassword is the password.
- In the [Setup] section of your Inno Setup script (ISS) file, add the following:
SignTool=Standard /d $qStonefield Query Installer$q $f
Specify the name of your “sign tool” in place of “Standard” and a descriptive name for your setup program in place of “Stonefield Query Installer.” $q is an Inno Setup constant representing a quote and $f is a constant containing the name and path of the setup EXE created by Inno Setup.
Now, every time you build your setup using the Inno Setup UI, your setup executable is automatically signed.
However, I also like to build setups as part of a build process, so I call the Inno Setup compiler via the command line. Once I added the SignTool directive in my ISS files, my command line builds failed.
Here’s the solution: you need to add the same “sign tool” definition you did to the UI to the command line. For example:
"C:\Program Files\Inno Setup 5\iscc" "/sStandard=C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool.exe sign /f CertPath\mycert.pfx /p MyPassword $p" sfquery.iss
Now, whether I build using the UI or through a build process, my setup executable is always signed.