It is important to digitally sign the installer and uninstaller of your software, but also the .tmp file executed by the installer and uninstaller. Else it may be blocked by OSArmor and other security programs that block the execution of unsigned processes.

Here is an example showing the .tmp process is unsigned:

Process: [5592]C:\Users\Admin\AppData\Local\Temp\is-1OC5S.tmp\setup.tmp
Process Size: 3.07 MB (3,219,968 bytes)
Process MD5 Hash: 452C4FBAEE7EB77ECCE95F3ABAF626D0
Parent: [4736]C:\Users\Admin\AppData\Local\Temp\3z3o4yqz.oq0\setup.exe
Parent Process Size: 6.38 MB (6,686,952 bytes)
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\Admin\AppData\Local\Temp\is-1OC5S.tmp\setup.tmp" /SL5="$30478,5800243,886784,C:\Users\Admin\AppData\Local\Temp\3z3o4yqz.oq0\setup.exe"
Signer: <NULL>
Parent Signer: Ascora GmbH

If you use Inno Setup to create the installer of your software you can follow these steps to digitally sign the installer, uninstaller (e.g unins000.exe) and also the .tmp file executed by the installer and uninstaller during the installation or uninstallation:

1) Open Inno Setup

2) Click on Tools -> Configure Sign Tools…

3) Click on Add and assign it a name like: sha256

4) On the “Command of the Sign Tool” use something like this:

cmd.exe /c cd "C:\Program Files (x86)\Windows Kits\8.1\bin\x64" &signtool.exe sign /sha1 YOURSHA1CODESIGNHASH /fd sha256 /tr TIMESTAMPURL /td sha256 /as /v $f

* Replace YOURSHA1CODESIGNHASH and TIMESTAMPURL accordingly.

5) Click on “OK” to save the settings

6) On the program .iss setup file on [Setup] section add:

SignTool=sha256

7) Now compile the .iss file

It should ask you two times the password for the code sign USB token.

So also the .tmp setup file will be digitally signed.

---