Code signing certificate

159 views
Skip to first unread message

Robert van der Hulst

unread,
Sep 12, 2025, 2:26:57 AMSep 12
to innosetup
We are signing our exe and dll files and installer with a certificate.
Our certificate expires soon, and we want to replace it.
I noticed that recently these certificates are delivered in the form of a USB token.
That means that we have to sign on a physical machine and that we no longer can do that on a virtual machine in the cloud (for example in a GitHub action)
How are others doing this?
Or does anybody know where we can buy a "traditional" certificate?

Robert

Eivind Bakkestuen

unread,
Sep 12, 2025, 2:32:27 AMSep 12
to inno...@googlegroups.com
If someone sells "traditional" certificates, stay away.

I use Signotaur, put it on a server that you control, sign from anywhere:



--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/innosetup/a872f581-2729-4e2d-8948-a7403c2c12f6n%40googlegroups.com.

Martijn Laan

unread,
Sep 12, 2025, 2:53:57 AMSep 12
to inno...@googlegroups.com
Hi,

Traditional file-based certificates are no longer available. However, there is another option that may be more convenient than USB tokens: cloud signing.

We previously used Certum for cloud signing but would recommend against them. Despite having used Certum certificates for over 20 years, they suddenly revoked ours without proper explanation and showed complete incompetence in resolving the matter.

Greetings,

Martijn


Op vr 12 sep , Robert van der Hulst <rjvand...@gmail.com> schreef:
--

Gavin Lambert

unread,
Sep 12, 2025, 4:07:42 AMSep 12
to innosetup
On Friday, September 12, 2025 at 6:26:57 PM UTC+12 Robert van der Hulst wrote:
That means that we have to sign on a physical machine and that we no longer can do that on a virtual machine in the cloud (for example in a GitHub action)
How are others doing this?

Most CAs will still let you generate a certificate from a CSR, and you can generate a CSR from any HSM, including an on-prem one (if you're rich) or a cloud one; I use Azure Key Vault via AzureSignTool but I think they also have another system that works more directly with the normal signtool.  Your existing cloud vendor of choice probably has something similar.

Robert van der Hulst

unread,
Sep 16, 2025, 5:05:01 PM (10 days ago) Sep 16
to innosetup
Martijn,
I see that you are now using a Sectigo certificate.
Is that a certificate with a USB token, or do they also have a cloud service?

Robert

Martijn Laan

unread,
Sep 16, 2025, 5:20:14 PM (10 days ago) Sep 16
to innosetup
It's a USB token. They might have a cloud service as well, see for example https://sectigostore.com/blog/google-cloud-kms-for-code-signing/

After Certum abruptly and wrongfully revoked our earlier certificate, we had little time to investigate the alternative options.

Greetings,
Martijn

Op di 16 sep , Robert van der Hulst <robert.va...@visma.com> schreef:

jeff weir

unread,
Sep 19, 2025, 8:18:10 AM (7 days ago) Sep 19
to innosetup
I noticed that recently these certificates are delivered in the form of a USB token.
That means that we have to sign on a physical machine and that we no longer can do that on a virtual machine in the cloud (for example in a GitHub action)

You can't even Remote Desktop into that machine on your local network to run innosetup. You have to be sitting at the machine that has the USB token plugged into it.

jeff weir

unread,
Sep 19, 2025, 8:34:44 AM (7 days ago) Sep 19
to innosetup
I use Signotaur, put it on a server that you control, sign from anywhere:

That looks like a good solution. 

Daniel Berg

unread,
Sep 22, 2025, 10:25:20 AM (4 days ago) Sep 22
to innosetup
Another possibility is to attach the dongle physically to a server and sign using remote execute tools (RDP sessions do NOT 'see' the dongle, but remote executeion does). This way multiple users from a company could sign without the need to have the dongle attached to their own computer. We used this procedure for years successfully.

Best
Daniel

m. e.l.

unread,
Sep 23, 2025, 2:06:59 AM (3 days ago) Sep 23
to innosetup
"remote execute tool": which tool is that ? psexec from SysInternals ?

Mel

Daniel Berg

unread,
Sep 23, 2025, 9:14:02 AM (3 days ago) Sep 23
to innosetup
I didn't reply to all by accident, so here' my answer again:


Daniel

m. e.l.

unread,
Sep 23, 2025, 2:35:18 PM (3 days ago) Sep 23
to innosetup

Ok, thanks.

Daniel Berg

unread,
Sep 24, 2025, 2:51:27 AM (2 days ago) Sep 24
to innosetup
... and  to be a bit more specific: to call signing from within Inno Setup we installed Inno Setup on the server, attached the dongle to it and compiled our setups using the inno command line invoked by winrs from a workstation



m. e.l. schrieb am Dienstag, 23. September 2025 um 20:35:18 UTC+2:

Ok, thanks.
Reply all
Reply to author
Forward
0 new messages