signtool fail with Inno Setup with exit code 0x1

Question

Suddenly my Inno Setup compiler stopped working. Since the last time I used it, I just installed a new certificate issued still to the same company.

I've configured the sign tool in this way (NAME is the beginning of the string for the Subject in the certificate):

mysigntool="C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /v /a /s my /n NAME /t http://timestamp.verisign.com/scripts/timestamp.dll

And then in the Inno Setup .iss file I have:

SignTool=mysigntool
SignedUninstaller=yes

The sign always fails with exit code 0x1, also if I remove the /t and timestamp. Please note that if I run the same command from the command prompt the signing works perfectly.

Answer 1

You need to add $f to the end of your SignTool (in the IDE settings, not the script) in order to actually pass the name of the file to be signed. This is why you're getting the "missing filename" error.

See the examples in the Inno help file.

Answer 2

First thing to try is, obviously, to run the signtool.exe standalone, to see, what errors it outputs.

(I'm aware that you have tried that already).

---

If you cannot reproduce the problem this way, run the Inno Setup compiler from command-line. You will see signtool's output along with other compilers output.

If the signtool fails, when compiling from Inno Setup GUI, its console just briefly flashes, so you have no chance to see its output.

---

Alternatively, you can wrap the signtool.exe to a batch file and call the batch from the Inno Setup instead of the signtool. At the end of the batch file, call pause, if the signing fails. This way you can see the error even in Inno Setup GUI.

The batch file may look like:

@echo off

c:\path\signtool.exe %*

set SIGN_RESULT=%ERRORLEVEL%

if %SIGN_RESULT% equ 0 (
  echo Signing succeeded
  exit /B 0
)

echo Signing failed with %SIGN_RESULT%
pause

exit /B %SIGN_RESULT%

---

See also Inno Setup - Signing fails with "Sign Tool failed with exit code 0x1".

Answer 3

In Windows 10 SDK and later you need to specify an fd parameter. For example: signtool.exe sign /debug /fd SHA256 /f "C:\selfcert.pfx" /t http://timestamp.comodoca.com/authenticode /p mypassword1234! myfile.exe

From https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool:

The Windows 10 SDK, Windows 10 HLK, Windows 10 WDK and Windows 10 ADK builds 20236 and later require specifying the digest algorithm. The SignTool sign command requires the /fd file digest algorithm and the /td timestamp digest algorithm option to be specified during signing and timestamping, respectively. A warning (error code 0, initially) will be thrown if /fd is not specified during signing and if /td is not specified during timestamping. In later versions of SignTool, the warning will become an error. SHA256 is recommended and considered to be more secure than SHA1 by the industry.