 HomeProducts
Inno SetupAboutDownloadsMailing ListPurchaseDonateContributeDocumentationFAQThird-Party FilesTranslationsLinksToolbar2000Toolbar97Support
ForumsContactvisitors since Jan. 1998 |
Verifying Inno Setup DownloadsOur Inno Setup installers (for example innosetup-7.0.1-beta-x64.exe) are signed using three independent methods. Certain files they install are also signed using one or more of these methods. This page explains each of the three methods and how to verify the integrity and authenticity of these files yourself. AuthenticodeAuthenticode is Microsoft's code signing technology, and is the signature verification method built into Windows. To check the Authenticode signature of one of our executable files, right-click it and select Properties, then open the Digital Signatures tab. A signature with publisher name "Pyrsys B.V." should be displayed. Select it and click "Details" to view the signature information: it should say the signature is valid. This publisher name should also be displayed when you run the installer and choose to install for all users. However, you should check the info mentioned above before running the installer. Before version 6.4.2, the publisher name was "Open Source Developer, Martijn Laan". GitHub Release AttestationsGitHub Release Attestations is the signature verification method that can be used for files that are part of an immutable GitHub release, such as our installers and ISSigTool.exe. To check the release attestation of one of these release files, you can use GitHub CLI (gh.exe). The verification command is: gh release verify-asset <filename> --repo jrsoftware/issrc To verify for example innosetup-7.0.1-beta-x64.exe the command is: gh release verify-asset innosetup-7.0.1-beta-x64.exe --repo jrsoftware/issrc To verify any ISSigTool.exe the command is: gh release verify-asset ISSigTool.exe --repo jrsoftware/issrc Other files such as our .dll, .e32, and .e64 files cannot be verified with this method. As a simpler check, you can also compare the SHA-256 hash of a file against the asset hash shown on the GitHub release page. This is not a replacement for full verification, but can detect corrupted or tampered files. Inno Setup Signature ToolInno Setup Signature Tool, or "ISSigTool", is the signature verification method built into Inno Setup. To check the ISSigTool signature of one of our signed files, you can use our ISSigTool.exe utility. You can download ISSigTool.exe from jrsoftware.org and from GitHub, see the links below. You can also get ISSigTool.exe by installing Inno Setup 6.5.0 or newer. To verify it, you can use one of the other two methods. The verification command is: issigtool --key-file=<key-file-filename> verify <filenames> This command requires matching .issig files to be present as well, which are the signature files. For example to verify innosetup-7.0.1-beta-x64.exe you need to place innosetup-7.0.1-beta-x64.exe.issig next to it before running ISSigTool.exe. We use two separate key files:
* = All files which are loaded or used at compile-time or at run-time by one of our executable files. Each .issig file shows which key applies, but you could simply try both commands and if either succeeds for a given file, then that file is verified. To verify for example innosetup-7.0.1-beta-x64.exe the command is: issigtool --key-file=def02.ispublickey verify innosetup-7.0.1-beta-x64.exe Links:
ISSigTool uses standard ECDSA-P256, and you can build your own tool to do the verification as well. See ISSigFunc.pas and ECDSA.pas on GitHub for our reference implementation. As a simpler check, you can also compare the SHA-256 hash of a file against the hash stored in the corresponding .issig file, which is in plain text. This is not a replacement for full verification, but can detect corrupted or tampered files. Copyright © 1997-2026 Jordan Russell. All rights reserved.
Portions Copyright © 2000-2026 Martijn Laan. All rights reserved. |