Sign all exe files on Inno Setup Installation

Question

I have a digital code sign certificate for the executables distributed by my company.

We use Inno Setup to make the installation executable, and it has a option to Sign the installer and uninstaller files, but I want to sign all the executable files inside the installer, is it possible using some script in Inno, as a preprocessor task?

I think I can use the ISPP to call the kSign tool to sign the files using the command Exec.

How can I call it only for .EXE files in installation?
How can I use the key value below in the command line:

SignTool=KSign /d $qAPP_NAME-$q /du $qhttp://www.app_site.com.br$q $f

Answer 1

Use the sign or signonce flag in the [Files] section.

Answer 2

Ok I found a solution. Here is the way to sign your exe files with inno setup script. Just add the following line to the beginning of your inno script:

#expr Exec("C:\Program Files (x86)\Windows Kits\8.0\bin\x64\signtool.exe", "sign /n MyCertName /tr http://tsa.starfieldtech.com " + AddBackslash(SourcePath) + "MyFolder\MyFile.exe")

Answer 3

I´ll post some code from my batch script used to install the executables files, and the installer using:

KSignCMD from: http://support.ksoftware.net/support/solutions/articles/17169-how-do-i-automate-code-signing-with-innosetup-and-ksign-

Inno Setup: http://www.jrsoftware.org/isdl.php

ComodoCertificate: http://support.ksoftware.net/support/solutions/25585

The .bat file, is basically this:

 ECHO OFF
@ECHO OFF
CLS

:: Its just because my certificate file is in the root path
cd ..
SET PARENT_DIR=%CD%

:Inno_Path
SET INNOSetup=ERROR
if EXIST "%ProgramFiles%\Inno Setup 5\iscc.exe" SET INNOSetup="%ProgramFiles%\Inno Setup 5\iscc.exe"
if EXIST "%ProgramFiles(x86)%\Inno Setup 5\iscc.exe" SET INNOSetup="%ProgramFiles(x86)%\Inno Setup 5\iscc.exe"
if %INNOSetup% == ERROR goto error_innoSetup

:ksign_path
SET KSIGN=ERROR
if EXIST "%ProgramFiles%\kSign\kSignCMD.exe" SET KSIGN="%ProgramFiles%\kSign\kSignCMD.exe" 
if EXIST "%ProgramFiles(x86)%\kSign\kSignCMD.exe" SET KSIGN="%ProgramFiles(x86)%\kSign\kSignCMD.exe" 
if %KSIGN% == ERROR goto error_ksign

:: To sign an file, I just use this command
%KSIGN% /du "http://www.xxxxxxxxxx.com" /d "MyCompany - Software Description" /f ..\cert_comodo.p12 /p P@55W0rd! file.exe 

:: Adjusting variables, removing "
SET KSIGN=%KSIGN:"=%
SET PARENT_DIR=%PARENT_DIR:"=%

:: The next command require the InnoSetup "Configure Sign Tools", configuration with name Standard, indicated below on /s parameter
:: Link to this configuration: http://www.jrsoftware.org/ishelp/index.php?topic=setup_signtool
%INNOSetup% "/sStandard=%KSIGN% /f %PARENT_DIR%\cert_comodo.p12 /p P@55W0rd! $p" MySoftwareInstaller.iss
if %ERRORLEVEL% GTR 0 goto iscc_error

:iscc_error
ECHO ISCC.EXE[ERRO(%ERRORLEVEL%)]: Error on generate installer.
goto end

:error_innoSetup
ECHO ISCC.exe not installed on: %ProgramFiles%\Inno Setup\  or  %ProgramFiles(x86)%\Inno Setup\
ECHO Please install ISCC, from Inno Setup: - http://www.jrsoftware.org/isdl.php
goto end

:error_ksign
ECHO KSignCMD.exe not found on: %ProgramFiles%\kSign\  or  %ProgramFiles(x86)%\kSign\
ECHO Please install KSign first: - http://codesigning.ksoftware.net/
goto end

:end
echo Press any key to continue....
pause