Can I sign the Inno Setup installer after it is compiled instead of using SignTool directive?

I've had a lot of trouble getting Inno Setup's SignTool feature to work on our Windows install.

I'm thinking now of doing the code signing myself outside of Inno Setup.

If I manually code sign our exe before using Inno Setup to build the installer, and then manually code sign the resulting Setup.exe, does that give the same degree of code signing that using SignTool does?

Does SignTool sign the Setup.exe as well as whatever .exe we specify on the signtool screen?

Does SignTool also sign other internal .exe's that Inno Setup perhaps produces? (I ask this because I recall from years ago that there's a filename.tmp exe that gets run by the Setup.exe. Does SignTool do anything to that?)

I believe that the very reason Inno Setup has the SignTool directive at all is the fact, that you cannot completely code sign the installer externally.

The reason being that there are indeed two internal executable files generated during compilation:

• an internal installer (the .tmp that you refer to), and
• an uninstaller

That is in addition to signing:

• the installer itself (which you can indeed sign yourself after the installer is compiled) and
• optionally any included binaries, if they have the sign or signonce flag (those you can indeed sign yourself before compiling the installer).

So maybe you should actually ask a new question about your problem with SignTool directive. It's not really difficult to set up.

See also these questions to learn, how to debug problems with SignTool:

• Signing in Inno Setup fails with "Sign Tool failed with exit code 0x1"
• signtool fail with Inno Setup with exit code 0x1