They say that because the app I want to sign is x86, I have to use x86 sign tool.
I do not believe that is correct, as my build process would prove otherwise.
Agree, that’s just wrong. I sign on x64 for x86, x64, and arm64.
I’m up and running. (Thanks for the moral support, Tim!)
My system is a Windows 11 Arm in VM
I had a few tries at software and drivers.
Some things didnt work until a restart.
Installed the multi-platform yubikey driver CAB and restarted.
Installed the x64 Yubikey manager (doesnt seem to offer much functionality..)
Installed the windows SDK, which gave me at least 3 signtools and a huge bag of unwanted stuff, but hey ho..
CertMgr didn’t show my certificate until after a few restarts.
Having assembled a command line that worked:
“C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\signtool.exe” sign /tr http://ts.ssl.com /td SHA256 /fd sha256 /a “myapp.exe”
I worked that into Inno Setup by modifying it to be
“C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\signtool.exe” sign /tr ``http://ts.ssl.com`` /td SHA256 /fd sha256 /a $p
It asks me for the PIN twice during the build process (once for the app, and once for the installer), but I can live with that (at least for now!)
FWIW: SSL.com sent me an odd ‘gift for you’, which is a card that says it is a coupon redeemable for 20 off
.. doesnt have a code, doesn’t say if that’s $20 or 20%, but if anyone else is heading that way, ask me about it.. it may get someone else a discount…
1 Like
It will ask for the PIN for each file it needs to sign. If you add the “signed uninstaller” flag, you’d probably get asked three times 
Use the ScSignTool.exe tool mentioned in Thom’s blog to automate that. You really just add your PIN before the existing sign command.
2 Likes
Done, and all working well. Despite some concerns, this probably went smoother than buying PFX certificates over the years. Now all I have to do is not lose the key!