I'm setting up a GitHub CI build system that uses the SignPath signing service to sign our Inno Setup installer file. I use an Inno Setup script from the command line to create the installer exe file and then we upload that to SignPath to be signed. The problem is that the Inno Uninstaller cannot be signed using the SignPath service because we have no control over that part.
Is there way to interrupt the Inno Setup script so that the Uninstaller exe file can be uploaded to SignPath, signed, and when re-downloaded, and then continue the Inno Setup script? Or perhaps alternatively unpack the resulting installer exe to sign the Uninstaller exe?
You can write a script/batch-file that will upload a binary (the uninstaller) to your code-signing service, and download it back after signing. And use that script as "sign tool" in Inno Setup.
Something like:
Command-line:
iscc mysetup.iss "/ssign=sign.bat $p"
https://jrsoftware.org/ishelp/index.php?topic=compilercmdline
iss:
[Setup]
SignTool=sign $f
https://jrsoftware.org/ishelp/index.php?topic=setup_signtool
sign.bat:
SignWithSignPath %1
(A separate script is needed only if the logic involves multiple commands. If it is one-liner only, you can obviously use it directly in the /s command-line parameter or the SignTool directive).