Code Signing Your Inno Setup Installers - A Complete Guide

Written by Radu Popescu · November 21st, 2024 · 4min read

You've put in the hard work to create an Inno Setup installer, and now it’s time to make sure end users trust your installer. Adding a digital signature to your setup file gives it credibility and protects it from tampering.

In this guide, you’ll discover everything you need to know to easily and effectively code-sign your Inno Setup installer.

What You’ll Need to Get Started

Before you dive into code-signing, make sure you have these essentials ready.

Let’s ensure your toolkit is complete:

1. A Code-Signing Certificate

Your first step is obtaining a valid code-signing certificate, like a digital stamp of approval. You can purchase one from a trusted certificate authority (CA) or, for testing purposes create a self-signed certificate.

NoteCheck out our article, Where Can I Purchase a Code Signing Certificate, for more details.

After purchasing, make sure to export the certificate in PFX format with a password that’s easy to access. The Personal Information Exchange (.pfx) file is a password-protected certificate that's commonly used for code signing applications. It stems from the PKCS 12 archive file format and can store multiple cryptographic objects in a single file.

2. A Code-Signing Tool

Microsoft’s SignTool is a powerful utility included with the Windows SDK that lets you digitally sign your files. You can download the SDK from this link.

While installing the SDK, follow the installation wizard and ensure you select SignTool as an installation feature, as shown below.

Install Microsoft SignTool

How to Code-Sign Your Inno Setup Installer

With your certificate and SignTool ready to go, let’s jump into the main event: adding a digital signature to your Inno Setup installer.

Just a few simple steps and your setup will be ready to roll with a seal of authenticity.

1. Configure Sign Tool in Inno Setup Compiler

1.1 Launch Inno Setup and go to the Tools tab, then select Configure Sign Tools… to open up the signing options.

Configure Sign Tools in Inno Setup

1.2 In the Configure Sign Tools window, click Add... to start setting up your signing tool, and give it a name you’ll easily recognize.

Sign Tool command line

1.3 Add the Sign Tool command.

Add the Sign Tool command

Use the example below, adjusting the path and certificate details as needed:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign /f "D:\_Packaging\digital-sign-no-pass.pfx" /t http://timestamp.comodoca.com/authenticode /fd sha256 $f

Here’s a quick look at each part of the command:

  • "C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" is the path where signtool.exe is present.
  • sign tells signtool.exe to sign.
  • /f "D:\_Packaging\digital-sign-no-pass.pfx" tells where our purchased certificate is stored on the machine (the location where you downloaded the .pfx file).
  • /thttp://timestamp.comodoca.com/authenticode tells which timestamp to use.
  • /fd sha256 specifies the algorithm to be used for encryption.
  • $f represents the Inno Setup parameter which tells the compiler to sign the generated setup from the current script.

NoteAll the above parameters are mandatory for a successful code signing.

1.4 Now click OK and remember the name of your signing tool – you’ll need it in the next step.

Add the Sign Tool command 2

2: Add Sign Tool to Your Inno Setup Script

Now, let’s bring everything together by adding the sign tool to your Inno Setup script.

2.1 Open your Inno Setup script, and in the [Setup] section, add the following line, replacing MySign with the name you gave your signing tool:

SignTool=MySign

2.2 Build your Inno Setup project. When it’s complete, right-click on the generated setup file, select Properties, go to the Digital Signatures tab, and confirm that the file is signed and trusted.

Inno Setup installer digital signature applied

Conclusion

Digitally signing your Inno Setup installer is a powerful way to boost trust and security, showing users that your software is verified and safe. Following these steps, you can configure Inno Setup to automatically apply a digital signature, delivering a professional, trusted experience for your users every time.

Written by
See author's page
Radu Popescu

Technical Writer at Advanced Installer, Technical Engineer on various enterprise client projects. Experienced in Software Packaging, SCCM infrastructure and System Administrating. Tech enthusiast and music producer in his spare time.

Comments: