SignTool fails, can't find installer exe

[Frank Filipanits]

Trying to implement signing, with a properly formed SignTool configured in the compiler, using $f for the file to be signed (installer), 

Signing fails because it can't find the file to be signed. The designated (custom) OutputDir/OutputBaseFilename exe is not created.

Here is the Inno Setup Compiler Output when SignTool is defined in the [Setup] section:

[...]
Compiling [Code] section
Creating setup files
   Compressing: C:\Users\frank\file1.txt
   Compressing: C:\Users\frank\file2.txt
   Compressing Setup program executable
   Updating version info (SETUP.EXE)
   Updating manifest (SETUP.EXE)
   Signing Setup program executable
   Running Sign Tool Azure: C:\"Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\Users\frank\source\Microsoft.Trusted.Signing.Client.1.0.76\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Users\frank\source\Microsoft.Trusted.Signing.Client.1.0.76\metadata.json" "C:\Users\frank\My_Installer_Win\My_Installer_Win.exe"
   Sign Tool command failed (Failed to execute Sign Tool command.
Error 2: The system cannot find the file specified). 

If I turn off signing (comment out SignTool in the [Setup] section), the compilation succeeds, properly creating the OutputDir/OutputBaseFilename exe as expected:

[...]

Compiling [Code] section
Creating setup files
   Compressing: C:\Users\frank\file1.txt
   Compressing: C:\Users\frank\file2.txt
   Compressing Setup program executable
   Updating version info (SETUP.EXE)
   Updating manifest (SETUP.EXE)

If I then cut/paste the expanded signing command verbatim from the Compiler Output of the (failed) signing attempt above into a command line prompt, it succeeds with no errors.

Do I have something misconfigured? Is there anything further I can do to further troubleshoot or provide additional information? Being able to execute the expanded SignTool command would seem to indicate it is correctly configured.

Thank you,

-Frank

[Gavin Lambert]

On Tuesday, July 8, 2025 at 3:51:07 PM UTC+12 Frank Filipanits wrote:

Trying to implement signing, with a properly formed SignTool configured in the compiler, using $f for the file to be signed (installer), 

It may be helpful to post the exact value that you have for SignTool in your script as well as in the IDE settings / command line.

   Sign Tool command failed (Failed to execute Sign Tool command.
Error 2: The system cannot find the file specified). 

These sorts of errors usually either mean that there's something incorrect about how or where you're passing $f to the tool, or (if the printed command appears to work as expected when run later, so it seems to be a timing problem) it may be an issue with an antivirus or similar interfering with the compilation process.  Try setting your OutputDir elsewhere and/or adding it to your excluded folders.

[Frank Filipanits]

Thank you for your suggestions. The "Command of the Sign Tool" in the "configure Sign Tool" setting of the compiler is:

C:\$qProgram Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe$q sign /v /debug /fd SHA256 /tr $qhttp://timestamp.acs.microsoft.com$q /td SHA256 /dlib $qC:\Users\frank\source\Microsoft.Trusted.Signing.Client.1.0.76\bin\x64\Azure.CodeSigning.Dlib.dll$q /dmdf $qC:\Users\frank\source\Microsoft.Trusted.Signing.Client.1.0.76\metadata.json$q $f

I tried turning off antivirus measures: I'm running an up-to-date Windows 11 install with Microsoft Defender as the only anti-virus, and neither turning off "Real-Time Protection" nor adding the output folder (and/or enclosing folder) made any difference - still failed. There are also no events recorded in Defender's "Protection history" 

Changing the output directory also made no difference.

Removing the custom OutputDir and OutputBaseFilename settings in [Setup] also made no difference - still failed.

In all of the above scenarios: compiling without signing then manually running the expanded command from the failed signing attempt works as expected.

[Jernej Simončič]

On Tuesday, July 8, 2025, 16:16:37, Frank Filipanits wrote:

C:\$qProgram

Why did you put $q after C:\?

 

-- 
< Jernej Simončič ><><><><>< https://eternallybored.org/ >

Every man has a scheme that will not work.
       -- Howe's Law

[Frank Filipanits]

FIXED!

Moving the $q before C:\ instead of after resolves the issue.

Putting it after C:\ was just a quirk of where quotes got placed to deal with the space in the path during construction of the original signing command and parameters outside of Inno Setup, and doesn't matter when executed in the command prompt. 

Both 

C:\"Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" [blah blah blah]

and

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" [blah blah blah]

execute exactly the same (successfully) on the command line.

HOWEVER - this DOES make a difference when it is executed from within the Inno Setup Compiler, with C:\" failing ad "C:\ succeeding.

I consider this a bug as the expanded signing command output by the compiler itself works either way when directly entered in a Command Prompt.

However, I am grateful for the workaround.

Thank you for your assistance in resolving the issue.