inno-setup code-signing signtool visual-and-installer

Unable to sign my software with Inno Setup

I have seen other questions but I am still struggling. I had to re-install Windows 11 and trying to configure signing again.

In Inno Setup:

SignTool
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\Signtool.exe" sign $p

In my script declaration:

SignTool=SignTool /d {#SignedDesc} /du $q{#AppURL}$q /f {#SignedPfx} /p {#SignedPw} /t {#SignedTimeStamp} /v  $f

Will not compile:

Running Sign Tool SignTool: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\Signtool.exe" sign /d "Meeting Schedule Assistant" /du "https://www.publictalksoftware.co.uk" /f "d:\My Certificate\2023\My Certificate.pfx" /p "xxxx" /t "http://timestamp.sectigo.com" /v "D:\My Programs\2022\MeetSchedAssist\Inno\Output\uninst.e32.tmp" Sign Tool command failed (Sign Tool command failed with exit code 0x1). Will retry (2 tries left).

The PFX exists in my D drive.
I have imported the PFX into the computer.

But I get that message.

When I try to compile in Visual Studio with Visual & Installer:

Preparing Setup program executable
   Updating version info (SETUP.E32)
   Running Sign Tool SignTool: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\Signtool.exe" sign /d "Meeting Schedule Assistant" /du "https://www.publictalksoftware.co.uk" /f "d:\My Certificate\2023\My Certificate.pfx" /p "xxxx" /t "http://timestamp.sectigo.com" /v  "D:\My Programs\2022\MeetSchedAssist\Inno\Output\uninst.e32.tmp"
SignTool Error: No file digest algorithm specified. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate's signature, use the /fd certHash option.

I can't work out how to use that /fd switch.

Solution

The answer was staring me in my face:

SignTool=SignTool /d {#SignedDesc} /du $q{#AppURL}$q /f {#SignedPfx} /p {#SignedPw} /t {#SignedTimeStamp} /v /fd SHA256 $f

SignTool Error: No file digest algorithm specified. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate's signature, use the /fd certHash option.