I've had a lot of trouble getting Inno Setup's SignTool feature to work on our Windows install.
I'm thinking now of doing the code signing myself outside of Inno Setup.
If I manually code sign our exe before using Inno Setup to build the installer, and then manually code sign the resulting Setup.exe, does that give the same degree of code signing that using SignTool does?
Does SignTool sign the Setup.exe as well as whatever .exe we specify on the signtool screen?
Does SignTool also sign other internal .exe's that Inno Setup perhaps produces? (I ask this because I recall from years ago that there's a filename.tmp exe that gets run by the Setup.exe. Does SignTool do anything to that?)
I believe that the very reason Inno Setup has the SignTool directive at all is the fact, that you cannot completely code sign the installer externally.
The reason being that there are indeed two internal executable files generated during compilation:
That is in addition to signing:
sign or signonce flag (those you can indeed sign yourself before compiling the installer).So maybe you should actually ask a new question about your problem with SignTool directive. It's not really difficult to set up.
See also these questions to learn, how to debug problems with SignTool: