Inno signing

[Andrew Truckle]

I know Inno has its own signing. And I know that using it won’t stop the unverified popup. 

But is it a suitable alternative to use instead. ? Certificates are expensive. So when mine expires I don’t think I can afford one anymore. So thought of using the built in approach. 

[Gavin Lambert]

On Monday, November 24, 2025 at 10:53:11 AM UTC+13 Andrew Truckle wrote:

I know Inno has its own signing. And I know that using it won’t stop the unverified popup. 

But is it a suitable alternative to use instead. ? Certificates are expensive. So when mine expires I don’t think I can afford one anymore. So thought of using the built in approach. 

As the doc states:

> Note: this utility does not replace Microsoft's signtool.exe in any way and is in fact not related to Authenticode Code Signing at all.

So no.  Having said that, there's nothing stopping you using signtool with a free self-signed cert or even setting up your own mini-CA to produce your own certificate to use for signing.

However, there's likely little point in actually doing this unless you're distributing bespoke or corporate software and you can convince the admins thereof to trust your root cert before installation, outside of the normal channels.  Anyone can make certificates -- the service that the public CAs are selling is that their certificates are already trusted.  If you use an untrusted certificate then it will still show up as "unknown publisher", very similar to a completely unsigned app.  I'm not sure if things like SmartScreen will consider an unknown certificate more or even less trustworthy than an unsigned file.

It is technically possible to install your certificate as trusted during your app's installation, but this requires unskippable user confirmation and will very likely get you labelled as malware or at least set off alarm bells -- and that doesn't help with the initial installation anyway.

Having said all the above: you could use Inno's built-in signing tools in a similar manner as Inno itself does: to verify authenticity of loadable plugin modules for your app.  But this will not protect the app itself; you still need something like Authenticode for that.  And if the files to be verified are all EXE/DLL files then it's much simpler to use Authenticode for verifying these as well.  The main feature of Inno's tools are to allow external signing of other file types.  But most kinds of apps would not particularly benefit from this.