I create an OEM product for my customer. I need to sign the installer and uninstaller executables, as well as the .tmp executables created by Inno Setup at runtime, using my customer's certificate. Is it possible to generate these .exe and .tmp files in advance, provide them to my customer for code signing, and then package them into the final installer? Thanks!
You can always sign an installer externally after compiling it.
Regarding an uninstaller (and the temporary self-copies of the installer):
Do not set SignTool (what you won't be anyway, if you want to sign the installer externally), but set SignedUninstaller:
[Setup]
SignedUninstaller=yes
Then the compiler will abort on the first run with:
Creating new signed uninstaller file: C:\outputpath\uninst-x.x.x-xxxxxxxxxx.e32
Error in C:\path\Example1.iss: Signed uninstaller mode is enabled. Using an external code-signing tool, please attach your digital signature to the following executable file: C:\outputpath\uninst-x.x.x-xxxxxxxxxx.e32
You can now take this uninstaller, have it externally signed by your customer and put it back. Next time you compile, the compiler will pick up the signed uninstaller and use it:
Using existing signed uninstaller file: C:\outputpath\uninst-x.x.x-xxxxxxxxxx.e32
That will keep working, as long as the uninstaller does not change. That is typically until you bump the AppVersion or upgrade Inno Setup (for details, see SignedUninstaller documentation, and also How do I keep Inno Setup 6 from creating new signed uninstallers?).