How to Digitally Sign Installer and Uninstaller with InnoSetup
It is important to digitally sign the installer and uninstaller of your software, but also the .tmp file executed by the installer and uninstaller. Else it may be blocked by OSArmor and other security programs that block the execution of unsigned processes.
If you use InnoSetup to create the installer of your software you can follow these steps to digitally sign the installer, uninstaller (i.e unins000.exe) and also the .tmp file executed by the installer and uninstaller during installation or uninstallation:
1) Open InnoSetup
2) Click on Tools -> Configure Sign Tools…
3) Click on Add and assign it a name like: sha256
4) On the “Command of the Sign Tool” use something like this:
cmd.exe /c cd "C:\Program Files (x86)\Windows Kits\8.1\bin\x64" &signtool.exe sign /sha1 YOURSHA1CODESIGNHASH /fd sha256 /tr TIMESTAMPURL /td sha256 /as /v $f* Replace YOURSHA1CODESIGNHASH and TIMESTAMPURL accordingly.
5) Click on “OK” to save the settings
6) On the program .iss setup file on [Setup] section add:
SignTool=sha2567) Now compile the .iss file
It should ask you two times the password for the code sign USB token.
So also the .tmp setup file will be digitally signed.
Other Interesting Posts
- Google Translate Used in Phishing Attack to Bypass Antispam Filters
- Not Just OneNote, Also Microsoft Publisher Maldocs can Deliver Malware
- Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT
- LMIGuardianSvc.exe (LogMeIn) Abused to Sideload Malicious DLL
- Windows Tool WerFault.exe Abused to Sideload Malicious DLL