Inno Setup SignTool password request

Question

I am attempting to automate our code signing process in Inno Setup. Unfortunately we have a fairly strict protocol on the .pfx and password distribution, and only one person on the project can have access to it.

This would not be a problem in itself if all of the installs were compiled on that persons machine. SignTool could be set up in the IDE and, the password would remain secure on the users PC. However, we use a shared machine to compile our builds, so we cannot set the SignTool up as we cant leave that password so readily accessible. There are various reasons for this and cannot be altered.

What I would like to do is have Inno pop up an "Enter .pfx Password" dialogue after the compile is complete.

At current, my thinking is either to get Inno setup to request authentication, which I do not know how to do, or to write a small script which compiles the setup, and signs it outside of Inno setup. The later I could do relatively easily, but due to the nature of our workflow, it would be better all round if Inno setup could be harnessed for this.

Can anybody help me in getting Inno Setup to request a SignTool password for the .pfx file?

Answer 1

If the key holder is ok with the builds being signed automatically rather than with his actual permission, then you could set up some kind of server program on his machine that does the signing, and change the command in Inno to hand the build off to that program over your network rather than calling signtool directly. That way only his machine will know the password and/or possess the private key.

Alternatively, just forego signing builds until they have passed QA and are actually being released to customers. Remove the SignTool setting and replace it with the SignedUninstaller setting.

When SignedUninstaller is used without SignTool, it will require the keyholder to manually sign the uninstall file once, and then this can be reused from a shared location without further resigning (until you upgrade Inno, at which point you need to do it again). The script being built will have a signed uninstall but an unsigned output installer. You can then pass it to QA and sign it manually later on when the keyholder is available (or discard it if it fails QA).