Once you download and install signtool.exe from Microsoft, put the full path of the signtool.exe into the command of the sign tool if it is not added to the path variables at step three of the previous answer:

D:\GUI\signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a $p

What you do is quite simple, try and follow allong

1. Open Inno Setup and select Tools-> Configure Sign Tools
2. Click "Add.." and give it a name, let's call it MsSign as I am using signtool.exe from Microsoft, you should now have something like this
3. You are then asked for the command line of the tool that you use for signing, as I am using signtool.exe I will use

signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a $p

Note the $p at the end, Inno Setup needs this... You should now have this, and note that I have added the path to signtool.exe in my path variables and that I am using DigiCert's time server to time-stamp my signature.

4. In the script, you now add the following code to the setup segment

   SignTool=MsSign $f

this line, tells the compiler to use code signing, it will use the variable I've called MsSign, and will sign the output generated by the setup.

it should look like this

When you look at the generated EXE you will see the digital signature

Now this works for me because I have prepared my signature store in such a way that the command line can get the signature and I have only one code sign signature so I will not need to name it, your parameters may be different than mine are, and that's okay as long as in the end, your setup works and your code gets signed.

Hope to have helped and remember you need that $p in the variable

To sign executable (installer generated by Inno Setup) simply create a batch file (.bat) and put this content into it:

"c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f Installer_Wizard_Code_Signing_Certificate.pfx /p password123 /t http://timestamp.verisign.com/scripts/timstamp.dll MySetupFile.exe

where

"c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" is path to Microsoft signing utility (part of Microsoft SDK)

Installer_Wizard_Code_Signing_Certificate.pfx is your certificate

password123 is password for your certificate

MySetupFile.exe is your setup file you want to sign

Put all files in one directory (certificate, setup to sign, and the batch file) and run the batch file. Signtool signs the file with certificate and checks the validity against official server.

(You can use http://timestamp.verisign.com/scripts/timstamp.dll server although you have Comodo certificate, it does not matter.)