Inno Setup includes an integrated signature-verification capability that can be used to detect corruption or tampering in your files at compile time, before files are included in an installer being built, or during installation, before Setup copies external files onto a user's system.
Signatures are created using the included Inno Setup Signature Tool utility (ISSigTool.exe) and are stored in separate files with an .issig extension. Because the signatures are stored in separate files — the original files are not touched — any type of file may be signed and verified.
Creation of .issig signatures does not require a certificate from a certificate authority. There is no cost involved.
Note, however, that an .issig signature cannot be used to eliminate an "Unknown publisher" warning message shown by Windows when an installer or other EXE file is started. That requires a completely different kind of signature (Authenticode) embedded inside the EXE file by a different tool (Microsoft's signtool.exe), and it does require a (usually expensive) code-signing certificate from a certificate authority. You can however use both signtool.exe and ISSigTool.exe on a single file, in that order. If you are looking for more information about signtool.exe see SignTool instead.
On the issigtool commands below, prepend the path of your Inno Setup installation, and include quotes. For example: "%ProgramFiles(x86)%\Inno Setup 6\issigtool"
At the command line, generate a new private key file that will be used for signing:
issigtool --key-file="MyKey.isprivatekey" generate-private-key
A file named MyKey.isprivatekey will be created in the current directory. You may include a pathname if you wish.
The file should not be shared with others, and should never be committed into a public repository. To reduce the risk of accidental disclosure, it is best to keep the file outside of your source tree.
Create the file we want to sign, then create the signature:
echo Hello > MyFile.txt issigtool --key-file="MyKey.isprivatekey" sign "MyFile.txt"
A signature file named MyFile.txt.issig is created.
Inside your Inno Setup script, add an [ISSigKeys] section entry linking to your key file, and a [Files] section entry for MyFile.txt that includes the issigverify flag:
[ISSigKeys]
Name: MyKey; KeyFile: "MyKey.isprivatekey"
[Files]
Source: "MyFile.txt"; DestDir: "{app}"; Flags: issigverify
Note: Specifying a public key file instead is preferred; see the Tips & Recommendations section below.
Compile the script. In the compiler output, you should see a line indicating the file was successfully verified:
Compressing: MyFile.txt
Verification successful.
Now let's confirm that the compiler actually does catch corruption or tampering within the file.
Make a modification to MyFile.txt — for example, add or change a character.
Compile the script again. This time, you should get an error like the following:
Signature is not valid for source file "MyFile.txt": file hash incorrect.
The procedure for setting up verification of external files is essentially the same as the procedure shown above for compile-time verification, except:
The [Files] section entry would include a path in the Source parameter, and include the external flag:
[Files]
Source: "{src}\MyFile.txt"; DestDir: "{app}"; Flags: external issigverify
The signature file — MyFile.txt.issig in this example — must exist in the same directory as the Source file during the installation process. (No compile-time verification occurs on external files.)
Although an [ISSigKeys] section entry's KeyFile parameter can point to a private key file as demonstrated above, it is recommended that a public key file be specified instead whenever possible. Unlike a private key file, a public key file does not have to be kept secret, and can be safely committed into a version control repository.
To create a public key file (MyKey.ispublickey) from an existing private key file (MyKey.isprivatekey), run this command:
issigtool --key-file="MyKey.isprivatekey" export-public-key "MyKey.ispublickey"
Alternatively, the public key values may be specified directly inside your script by using the PublicX and PublicY parameters instead of KeyFile.
To avoid having to repeat the same --key-file= parameter on every issigtool command invocation, you may instead set the ISSIGTOOL_KEY_FILE environment variable to the path of your key file.
In cmd.exe or a batch file:
set ISSIGTOOL_KEY_FILE=MyKey.isprivatekey
In PowerShell:
$env:ISSIGTOOL_KEY_FILE = "MyKey.isprivatekey"
The above variable assignments are non-persistent; they only affect the current cmd.exe or PowerShell session.
Afterward, you may simply run:
issigtool sign "MyFile.txt" issigtool verify "MyFile.txt"