Monday, November 09, 2009

Executable Signing with Inno Setup

As I discussed a couple of years ago, code signing your executables is important for a variety of reasons. Our installation creation tool of choice is Inno Setup and version 5.2.4 released in March 2009 made it easier to sign the setup executable through the new Signtool directive in the [Setup] section.

This directive works like this (assuming you already have a digital certificate):

  • Run the Inno Setup UI and choose Configure Sign Tools in the Tools menu.
  • Create a new “sign tool” by clicking Add and specifying a name and the command line to execute your signing application. For example, I created one called “Standard” with the following command line to call Microsoft’s SIGNTOOL.EXE:

"C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool.exe" sign /f CertPath\mycert.pfx /p MyPassword

where CertPath\mycert.pfx is the name and location of the PFX file and MyPassword is the password.

  • In the [Setup] section of your Inno Setup script (ISS) file, add the following:

SignTool=Standard /d $qStonefield Query Installer$q $f

Specify the name of your “sign tool” in place of “Standard” and a descriptive name for your setup program in place of “Stonefield Query Installer.” $q is an Inno Setup constant representing a quote and $f is a constant containing the name and path of the setup EXE created by Inno Setup.

Now, every time you build your setup using the Inno Setup UI, your setup executable is automatically signed.

However, I also like to build setups as part of a build process, so I call the Inno Setup compiler via the command line. Once I added the SignTool directive in my ISS files, my command line builds failed.

Here’s the solution: you need to add the same “sign tool” definition you did to the UI to the command line. For example:

"C:\Program Files\Inno Setup 5\iscc" "/sStandard=C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool.exe sign /f CertPath\mycert.pfx /p MyPassword $p" sfquery.iss

Now, whether I build using the UI or through a build process, my setup executable is always signed.


Michael said...

Thank you for the informative post. However, I wonder why we need separate certificates for SSL on a website and for code signing. It's the same technology and the same verification process, just two separate fees.

Doug Hennig said...

Good question, but I don't know the answer.

netsendjoe said...

Where can I get or create my own digital certificate for free?

Doug Hennig said...

You can't create your own digital certificate: if you could, then anyone could do it, which would defeat the purpose of digitally signing an app. I doubt you can find a free one.

David Mail said...

Of course you can get a free certificate creating so called 'self-signed' certificate. Just Google a bit for that. It would not be trusted since it was not issued by a known Certificates Authority, but it is good enough for the testing purpose

Anonymous said...

It is very important to point out, that the current version of ISTool seems to have a bug and cannot interprete the [Server] directive "Signtool". You will always get an error "Invalid paramters".

You need to use the original Inno Compiler to compile your .iss files.

Anonymous said...

I found that I needed to add a $p (for parameters) onto the end of the argument list for the signtool.exe tool for it to work.

Anonymous said...

Thanks Anonymous for the comment to add $p onto the end. That was so, so not obvious. The signing kept failing until I did what you said. Thanks!

Mark R said...

This works just fine when I install it on the computer represented by the directory path. But when I upload it to my CPalen-hosted website for others to download, evaluate, and buy, the certificate notice does not appear. I have a ticket into cPanel to resolve this, but I have not seen a discussion anywhere that discusses executable file certificates. All I see discussed are securing entire domains. I don't need to secure my domain as I am not planning to do financial transactions over it. You have a nice site. Thanks.

Doug Hennig said...

Mark, this blog post was ONLY about executable signing, not securing a domain. Assuming you've correctly signed both the installer executable and the executable being installed, the user should see the publisher name in the UAC dialog.

Alex said...

If the path to certificate has a space in it, your last command won't work. Any solutions?

Doug Hennig said...

Put quotes around it.

Anonymous said...

Thanks for your insightful post! Saved me a bunch of time getting a project signed.