Innosetup certificate signing help

Hello. I just purchased the signing certificate through kSoftware and also downloaded the kSign program. I also just downloaded Innosetup as this has been highly recommended as an easy and free Windows installer tool.

My question is what are the steps to sign the installer? I first created the .exe using Innosetup and then went into kSign to sign the app. I tested it on my machine where the certificate is present, and the installer first prompted with the box saying this is from a verified publisher! Awesome! However, I then attempted on my other PC and was still getting the “unknown publisher” message. Is there something you have to configure in the Innosetup tool? I checked the documentation but am confused as to where to put what, if that is even necessary

I signed the Xojo-created .exe as well as the entire DLL folder and the Resources folder before creating the Inno Installer. I then also signed the Inno-created .exe. Using KSign, you first tell it where your certificate is located on the left of the window, then find the individual files or folders you wish to have signed on the right of the window. When you click sign, you will see info at the bottom of the screen telling you of its progress. Upload your .exe installer to the internet and then download it again to see if your signing has worked. Ksign is a very good tool. It should work well for you.

That sounds back to front to me.
You need to sign the app, then build it into an exe using innosetup and sign the installer too.

in my script I have a line that tells inno what the signage should be:

SignTool=kSign /d $q[b]MYCOMPANY[/b]$q /du $q[b]http://MYWEB.COM[/b]$q $f

In tools/sign tools, you need to add an entry to qualify the path to ksign and your passwords.

So the sign tool name there is kSign
And my command line is:

"C:\\Program Files (x86)\\kSign\\kSignCMD.exe" /f   C:\\RB_STUFF\\Certificates.p12  /p  SECRETPASSWORD  $p  "

When I build in Inno, it launches kSign to sign the app, then builds the install, then laucnhes kSign again to sign the installer.

Jeff and Roger, thank you for your input.

I like the simplicity of Roger’s sign/build/sign. @Jeff Tullin , is that basically the same as what you are doing in the code in Innosetup? The command lines confuse me a bit. Is this still necessary?

I did try again Roger’s method (without adding in the code in Innosetup), but still was coming up as an unknown publisher. Was this because of the missing code in Innosetup?

I think I set up the kSign appropriately but maybe not. After I got the approval from Comodo, I exported (??) the file to a spot on my computer, which is a .pfx file. In kSign, I have the Your Certificate pointed to the path where the .pfx file is and entered the Certificate Password. Then chose the folder on the right panel containing all the files, dlls, and the .exe of the built project. Signed these. Ran the Innosetup tool to create the compiled .exe. Signed this. Tried on the other PC and unknown publisher

Well, it saves me running KSign by hand is all.
Automates the process.

Ah ok, so I should be good doing the method by Roger. Do you have any clue as to why I might still be seeing the unknown publisher on the other PC?

If there’s an issue with the signing on Inno Setup it will squawk about it (dealing with this today). Make sure the output is actually getting updated. Afterwards you should be able to right click on the installer and select properties and see a Digital Signatures tab (at least in Windows 7 there is).

Thanks Bob. I just checked the installer properties, and it is showing on both machines with the name of signer (my company name), the digest algorithm, and the timestamp.

When clicking on details on my main PC where I downloaded the cert, it does say the digital signature is OK, but on the other PC, it shows the signature in the properties, but when clicking on the details, it says the certificate in the signature cannot be verified. When I click on the View Certificate, it says “Windows does not have enough information to verify this certificate”

I also contacted kSoftware to see if they can help with this too

They’ve been quick to answer my questions so hopefully you find a solution. When you do, let us know what it was.

When was the problematic machine last updated? Windows Update regularly updates the root certificates for you. If that is not up to date you would have problems like this.

That was it Bob! I keep my older machines to test for things like this. Problem is, it could be months from the last time the computer was opened and updated. Last night, there was a Windows update available, so I let it run. Just tried it now, and the installer box popped up having the company name in the publisher spot! Plus, checking the properties, everything looks great! Thanks for the help!

Also be aware that I recently had to change my Inno Setup to accommodate the new SHA256 code signing after using the SHA1 for years. If you just started it may not be a big deal but it definitely ruined a few hours of my life yesterday.

Oh wonderful. Yes, I just downloaded Innosetup last week so am new with this tool. Thanks for the heads up @Bob Keeney