How can I securely pass the certificate password to signtool.exe in Inno Setup?

Question

How can I securely pass the password to signtool.exe? Here's the code:

[Setup]
SignTool=mysigntool signtool.exe" sign /f <path_to_pfx_certificate> /p <certificate's_password> $f

I know there's a method like GetSHA1OfString, but here I need the opposite.

Answer 1

If you are asking how to encrypt the password, it does not make sense. An encryption needs a key (aka a password). So you end up with another password, which you again need to store somewhere in plain text. It's a kind of a chicken or the egg problem.

All you can do is to obfuscate the password.

---

Consider protecting the certificate by putting it into the Windows certificate store instead of a password-protected file. This is the same question you have, just for MSBuild: How do I securely store a .pfx password to use in MSBuild? The answer is pretty much generic. You just replace the MSBuild's %(SignFiles.Identity) with Inno Setup's $f in the signtool command line:

signtool.exe sign /sha1 <value> /t ... $f

---

Other related questions:

• How do I securely configure a CI server to digitally sign binaries?
• Automated Code Signing - Protecting the private key