How can I create a signed uninstaller with InnoSetup (ISCC.exe) and DigiCert's smctl.exe?

Question

I use smctl.exe to sign a desktop application on our build server. I call execute iscc.exe with my *.iss file including /S parameter like this:

/Dsigning=true /Dbuildworkingdir=${bamboo.build.working.directory} ${bamboo.build.working.directory}\150_Software\10_SW\InnoSetup\EPCSetup.iss "/Ssigntool=smctl.exe sign --keypair-alias key_XXXXXXXX --input $f"

This results in a properly signed "setup.exe".

This works as long as I have this line in my *.iss file:

SignedUninstaller=no

As soon as it is switched to SignedUninstaller=yes, the build fails.

Here is the corresponding excerpt from the Bamboo Log:

build   27-Sep-2023 08:09:20    Preparing Setup program executable
build   27-Sep-2023 08:09:20       Updating version info (SETUP.E32)
build   27-Sep-2023 08:09:21       Running Sign Tool signtool: C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe sign --keypair-alias key_XXXXXXXXX --input "D:\Atlassian\ApplicationData\Bamboo\local-working-dir\360449\CFN-DIG-JOB1\150_Software\10_SW\InnoSetup\Output\uninst.e32.tmp"
build   27-Sep-2023 08:09:24    There were no files found for signing
error   27-Sep-2023 08:09:24    Error in D:\Atlassian\ApplicationData\Bamboo\local-working-dir\360449\CFN-DIG-JOB1\150_Software\10_SW\InnoSetup\EPCSetup.iss: The Sign Tool command returned an exit code of 0, but the file does not have a digital signature.
error   27-Sep-2023 08:09:24    Compile aborted.

My investigations have shown that smctl.exe uses the Microsoft signtool.exe for signing. signtool.exe can only sign executable files.

Now I can't get any further. InnoSetup wants to sign "uninst.e32.tmp" but smctl.exe refuses. Is anyone aware of this problem? What can I do? And in addition: Why does InnoSetup try to sign a *.tmp file?

Any hints will be very much appreciated.

Answer 1

You can use the actual Microsoft signtool with DigiCert by getting the SHA1 thumbprint of your DigiCert certificate, and then using:

...\path\to\signtool.exe sign /sha1 <thumbprint> /tr http://timestamp.digicert.com /td sha256 /fd sha256 %1

where %1 stands for the file to sign.

You can use signtool assuming you've already run the DigiCert setup tool smksp_cert_sync.exe to download its metadata about the certificates they hold in store for you. This registers them in some standard way that signtool understands. Since you're using smctl I assume this is already being done.

I believe you can get the thumbprint by running (Start > Run) certmgr.msc to see list of all certificates under "Current User \ Personal \ Certificates".

I used to use DigiCert signing for everything including Inno uninstaller stubs and this worked fine.

Answer 2

The uninst.e32.tmp is an executable file, just with a .tmp extension.

Based on the error message, it looks like the smctl did not even attempt to sign the file. So the problem is not with the file itself, but possibly with its name (extension).

Renaming the file to .exe might resolve the problem. You can write a script (a simple batch file will do) that renames the file, signs it, and renames it back. And configure that script/batch as a sign tool in Inno Setup.

For some examples of such batch file, see

• Replace "Setup/Uninstall" string in UAC prompt for Inno Setup uninstaller or
• Microsoft SmartScreen - suspended using Inno Setup installer?