If the key holder is ok with the builds being signed automatically rather than with his actual permission, then you could set up some kind of server program on his machine that does the signing, and change the command in Inno to hand the build off to that program over your network rather than calling signtool directly. That way only his machine will know the password and/or possess the private key.
Alternatively, just forego signing builds until they have passed QA and are actually being released to customers. Remove the SignTool
setting and replace it with the SignedUninstaller
setting.
When SignedUninstaller
is used without SignTool
, it will require the keyholder to manually sign the uninstall file once, and then this can be reused from a shared location without further resigning (until you upgrade Inno, at which point you need to do it again). The script being built will have a signed uninstall but an unsigned output installer. You can then pass it to QA and sign it manually later on when the keyholder is available (or discard it if it fails QA).