Inno Setup and codesigning

  1. 3 months ago

    Jeff T

    Jul 17 Pre-Release Testers Midlands of England, Europe

    After a painful experience with Sectigo , I finally have a renewed signing certificate.
    My old one ended with .p12 and was working integrated with Inno Setup nicely
    My new one has an extension of .pfx , and swapping the old file name for the new just gets me an error in Inno:

    'Value of [setup] section directive "Signtool" is invalid"

    I have no idea where to start correcting that.
    Is anyone using a .pfx file with Inno?

    Solved.
    I removed the signing code for a few weeks (!) while I was struggling to get a renewed certificate.

    When I typed the information back in, I used 'ksign' in the menu, but had kSign in the script.
    Inno is case sensitive.
    All working again now.

  2. John A

    Jul 17 Pre-Release Testers Las Vegas, Nevada

    The only difference between p12 and pfx is the file extension. Internally they are identical.
    I've always used pfx for signing with InnoSetup.

  3. Thom M

    Jul 17 Pre-Release Testers Greater Hartford Area, CT

    Sectigo is awful....

    If it helps, my sign tool is configured as

    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362\x64\signtool.exe" sign /f "C:\path\to\Certificate.pfx" /p YouShallNotPassword /tr http://timestamp.digicert.com /td sha256 /td sha256 $p

    And in the script itself I have

    SignTool=TheNameGivenToTheTool /d $qAppName$q /du $qhttps://thewebsiteoftheapp$q $f
  4. Jeff T

    Jul 17 Pre-Release Testers Midlands of England, Europe
    Edited 3 months ago

    Thanks for the examples Thom.
    I use KSign at the moment.. if .pfx and .p12 are the same, Im at a loss to see why the current command line would suddenly look like an error.

    I've always used pfx for signing with InnoSetup.

    John: What does your Sign line look like in the script? and the signtool setup in the menu ?

    C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362\x64\signtool.exe
    ..I dont have that..
    I'll see if I can download it without the 6Gb of windows dev kit.

    Sectigo is awful....

    Don't get anywhere near me and a drink and say their name. ;)

  5. Jeff T

    Jul 17 Pre-Release Testers Answer Midlands of England, Europe

    Solved.
    I removed the signing code for a few weeks (!) while I was struggling to get a renewed certificate.

    When I typed the information back in, I used 'ksign' in the menu, but had kSign in the script.
    Inno is case sensitive.
    All working again now.

  6. Thom M

    Jul 18 Pre-Release Testers Greater Hartford Area, CT

    FYI, you can get signtool without the whole SDK. You'll download the SDK and then at the installer you can choose only to install the signing tools. My "Windows Kits" folder is under 7MB. Given that ksigncmd.exe is no longer developed, I recommend investing a little time in switching over. kSoftware even includes a zip of signtool in their help article: https://support.ksoftware.net/support/solutions/articles/17170-how-do-i-use-ksign-to-digitally-sign-files-

  7. John A

    Jul 18 Pre-Release Testers Las Vegas, Nevada

    I still use kSignCMD. They may not be supporting it, but it still works for me.
    I don't know of any security changes that would require an update.
    When I set up the process a few years ago, signtool never could generate the timestamp.

or Sign Up to reply!