I use smctl.exe to sign a desktop application on our build server. I call execute iscc.exe with my *.iss file including /S parameter like this:
/Dsigning=true /Dbuildworkingdir=${bamboo.build.working.directory} ${bamboo.build.working.directory}\150_Software\10_SW\InnoSetup\EPCSetup.iss "/Ssigntool=smctl.exe sign --keypair-alias key_XXXXXXXX --input $f"
This results in a properly signed "setup.exe".
This works as long as I have this line in my *.iss file:
SignedUninstaller=no
As soon as it is switched to SignedUninstaller=yes, the build fails.
Here is the corresponding excerpt from the Bamboo Log:
build 27-Sep-2023 08:09:20 Preparing Setup program executable
build 27-Sep-2023 08:09:20 Updating version info (SETUP.E32)
build 27-Sep-2023 08:09:21 Running Sign Tool signtool: C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe sign --keypair-alias key_XXXXXXXXX --input "D:\Atlassian\ApplicationData\Bamboo\local-working-dir\360449\CFN-DIG-JOB1\150_Software\10_SW\InnoSetup\Output\uninst.e32.tmp"
build 27-Sep-2023 08:09:24 There were no files found for signing
error 27-Sep-2023 08:09:24 Error in D:\Atlassian\ApplicationData\Bamboo\local-working-dir\360449\CFN-DIG-JOB1\150_Software\10_SW\InnoSetup\EPCSetup.iss: The Sign Tool command returned an exit code of 0, but the file does not have a digital signature.
error 27-Sep-2023 08:09:24 Compile aborted.
My investigations have shown that smctl.exe uses the Microsoft signtool.exe for signing. signtool.exe can only sign executable files.
Now I can't get any further. InnoSetup wants to sign "uninst.e32.tmp" but smctl.exe refuses. Is anyone aware of this problem? What can I do? And in addition: Why does InnoSetup try to sign a *.tmp file?
Any hints will be very much appreciated.
You can use the actual Microsoft signtool with DigiCert by getting the SHA1 thumbprint of your DigiCert certificate, and then using:
...\path\to\signtool.exe sign /sha1 <thumbprint> /tr http://timestamp.digicert.com /td sha256 /fd sha256 %1
where %1 stands for the file to sign.
You can use signtool assuming you've already run the DigiCert setup tool smksp_cert_sync.exe to download its metadata about the certificates they hold in store for you. This registers them in some standard way that signtool understands. Since you're using smctl I assume this is already being done.
I believe you can get the thumbprint by running (Start > Run) certmgr.msc to see list of all certificates under "Current User \ Personal \ Certificates".
I used to use DigiCert signing for everything including Inno uninstaller stubs and this worked fine.