How to Digitally Sign Installer and Uninstaller with Inno Setup

It is important to digitally sign the installer and uninstaller of your software, but also the .tmp file executed by the installer and uninstaller. Else it may be blocked by OSArmor and other security programs that block the execution of unsigned processes.

Here is an example showing the .tmp process is unsigned:

Process: [5592]C:\Users\Admin\AppData\Local\Temp\is-1OC5S.tmp\setup.tmp
Process Size: 3.07 MB (3,219,968 bytes)
Process MD5 Hash: 452C4FBAEE7EB77ECCE95F3ABAF626D0
Parent: [4736]C:\Users\Admin\AppData\Local\Temp\3z3o4yqz.oq0\setup.exe
Parent Process Size: 6.38 MB (6,686,952 bytes)
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\Admin\AppData\Local\Temp\is-1OC5S.tmp\setup.tmp" /SL5="$30478,5800243,886784,C:\Users\Admin\AppData\Local\Temp\3z3o4yqz.oq0\setup.exe"
Signer: <NULL>
Parent Signer: Ascora GmbH

If you use Inno Setup to create the installer of your software you can follow these steps to digitally sign the installer, uninstaller (e.g unins000.exe) and also the .tmp file executed by the installer and uninstaller during the installation or uninstallation:

Inno Setup GUI

1) Open Inno Setup

2) Click on Tools -> Configure Sign Tools…

Inno Setup Configure Sign Tool

3) Click on Add and assign it a name like: sha256

Inno Setup Name of Sign Tool

4) On the “Command of the Sign Tool” use something like this:

cmd.exe /c cd "C:\Program Files (x86)\Windows Kits\8.1\bin\x64" &signtool.exe sign /sha1 YOURSHA1CODESIGNHASH /fd sha256 /tr TIMESTAMPURL /td sha256 /as /v $f


5) Click on “OK” to save the settings

6) On the program .iss setup file on [Setup] section add:


7) Now compile the .iss file

It should ask you two times the password for the code sign USB token.

So also the .tmp setup file will be digitally signed.