2
votes

I am attempting to automate our code signing process in Inno Setup. Unfortunately we have a fairly strict protocol on the .pfx and password distribution, and only one person on the project can have access to it.

This would not be a problem in itself if all of the installs were compiled on that persons machine. SignTool could be set up in the IDE and, the password would remain secure on the users PC. However, we use a shared machine to compile our builds, so we cannot set the SignTool up as we cant leave that password so readily accessible. There are various reasons for this and cannot be altered.

What I would like to do is have Inno pop up an "Enter .pfx Password" dialogue after the compile is complete.

At current, my thinking is either to get Inno setup to request authentication, which I do not know how to do, or to write a small script which compiles the setup, and signs it outside of Inno setup. The later I could do relatively easily, but due to the nature of our workflow, it would be better all round if Inno setup could be harnessed for this.

Can anybody help me in getting Inno Setup to request a SignTool password for the .pfx file?

1
Which sign tool are you using ? Microsoft Sign Tool ? If so, you can use signwizard command, that will launch signing wizard which will prompt for password if needed. But consider what would all of you do when you compile the script by yourself. Would you call the boss for entering the password ? I would be for the latter idea you've mentioned and let the members of your team compile the unsigned installer and once you'll be done, let the boss sign it (from outside the InnoSetup).TLama
Yes, using microsoft sign tool from the Windows sdk 7.1. The suggested solution doesn't work for us unfortunately, we compile in excess of 20-40 installers a day, spanning about 20 .iss files, so we cant pass on files for signing. This is why we want to tie it in to the build process in Inno, so that we can just skip signing if the key holder is not present, but for the majority of builds, he will be. Part of the problem is that our testing is outsourced, and we rapidly go through builds, so after a compile is completed, it is live within minutes. I will try using signwizard in InnosetupLuke Turner
Signtool /a will search for the cert, and you can install a private key without the ability to export.Nick Westgate

1 Answers

2
votes

If the key holder is ok with the builds being signed automatically rather than with his actual permission, then you could set up some kind of server program on his machine that does the signing, and change the command in Inno to hand the build off to that program over your network rather than calling signtool directly. That way only his machine will know the password and/or possess the private key.

Alternatively, just forego signing builds until they have passed QA and are actually being released to customers. Remove the SignTool setting and replace it with the SignedUninstaller setting.

When SignedUninstaller is used without SignTool, it will require the keyholder to manually sign the uninstall file once, and then this can be reused from a shared location without further resigning (until you upgrade Inno, at which point you need to do it again). The script being built will have a signed uninstall but an unsigned output installer. You can then pass it to QA and sign it manually later on when the keyholder is available (or discard it if it fails QA).