Inno Setup and codesigning

After a painful experience with Sectigo , I finally have a renewed signing certificate.
My old one ended with .p12 and was working integrated with Inno Setup nicely
My new one has an extension of .pfx , and swapping the old file name for the new just gets me an error in Inno:

'Value of [setup] section directive “Signtool” is invalid"

I have no idea where to start correcting that.
Is anyone using a .pfx file with Inno?

The only difference between p12 and pfx is the file extension. Internally they are identical.
I’ve always used pfx for signing with InnoSetup.

Sectigo is awful…

If it helps, my sign tool is configured as

"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.18362\\x64\\signtool.exe" sign /f "C:\\path\\to\\Certificate.pfx" /p YouShallNotPassword /tr /td sha256 /td sha256 $p

And in the script itself I have

SignTool=TheNameGivenToTheTool /d $qAppName$q /du $qhttps://thewebsiteoftheapp$q $f
1 Like

Thanks for the examples Thom.
I use KSign at the moment… if .pfx and .p12 are the same, Im at a loss to see why the current command line would suddenly look like an error.

John: What does your Sign line look like in the script? and the signtool setup in the menu ?

C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.18362\\x64\\signtool.exe  

…I dont have that…
I’ll see if I can download it without the 6Gb of windows dev kit.

Don’t get anywhere near me and a drink and say their name. :wink:

I removed the signing code for a few weeks (!) while I was struggling to get a renewed certificate.

When I typed the information back in, I used ‘ksign’ in the menu, but had kSign in the script.
Inno is case sensitive.
All working again now.

FYI, you can get signtool without the whole SDK. You’ll download the SDK and then at the installer you can choose only to install the signing tools. My “Windows Kits” folder is under 7MB. Given that ksigncmd.exe is no longer developed, I recommend investing a little time in switching over. kSoftware even includes a zip of signtool in their help article:

I still use kSignCMD. They may not be supporting it, but it still works for me.
I don’t know of any security changes that would require an update.
When I set up the process a few years ago, signtool never could generate the timestamp.

That worked for me…