问题
Is it possible in Inno Setup to sign the Uninstaller and Installer with sha1 and sha256 at the same time?
I know that it is possible to sign the Executable with both certs via command tool, but want to know if this is possible to achieve with SignTool in Inno.
回答1:
Autoanswer...
Yes, this is possible. As @Wosi suggested you can write a batch and then call it with $f parameter added.
Sample batch (signtool.bat):
@echo off
"PATH_TO_SIGNTOOL\signtool.exe" sign /v /du "COMPANY_NAME" /fd sha1 /t "http://timestamp.verisign.com/scripts/timstamp.dll" /f "sha1_cert.pfx" /p PASSWORD %1
set SIGN_RESULT_1=%ERRORLEVEL%
"PATH_TO_SIGNTOOL\signtool.exe" sign /as /v /du "COMPANY_NAME" /fd sha256 /tr "http://timestamp.comodoca.com/rfc3161" /td sha256 /f "sha256_cert.pfx" /p PASSWORD %1
set SIGN_RESULT_2=%ERRORLEVEL%
set /a RESULT=%SIGN_RESULT_1%+%SIGN_RESULT_2%
if %RESULT% NEQ 0 (
echo Warning! Signing failed with %SIGN_RESULT_1% for sh1 and %SIGN_RESULT_2% for sha256
pause
exit /B %RESULT%
)
echo Signing succeeded
exit /B 0
Then in Inno Setup you can call signtool.bat $f where $f will be passed to %1 for the batch.
For Windows XP compatibility for sha1: removed /as, /tr replaced with /t, removed /td (as it requires /tr)
I will leave it here as maybe someone could find it helpful.
回答2:
I'm using InnoSetup 5.5.9. I compile my script from the command line using ISCC. My setup script includes these two lines in the [Setup] section:
SignTool=sha1
SignTool=sha256
The ISCC command looks like:
ISCC "/ssha1=signtool.exe /f <cert.pfx> /p <certpwd> /fd SHA1 /t <timestamp.url> /v $f" "/ssha256=signtool.exe /f <cert.pfx> /p <certpwd> /fd SHA256 /tr <timestamp.url> /td SHA256 /as /v $f" setup.iss
Innosetup will sign the install and uninstall with both certs.
来源:https://stackoverflow.com/questions/32082347/is-it-possible-to-dual-sign-installer-and-uninstaller-with-sha1-and-sha256-certi