Use a shortened version of the into in whatsnew + some tweaks.

ISHelp/isetup.xml

@@ -3597,11 +3597,11 @@ Filename: "{win}\MYPROG.INI"; Section: "InstallSettings"; Key: "InstallPath"; St
 
 <p>Inno Setup includes an integrated signature-verification capability that can be used to detect corruption or tampering in files at compile time, before files are included in an installer being built, or during installation, before Setup copies external files onto a user's system.</p>
 
-<p>Signatures are created using the included <link topic="issigtool">Inno Setup Signature Tool</link> utility (<tt>issigtool</tt>) and are stored in separate files with an <tt>.issig</tt> extension. Because the signatures are stored in separate files — the original files are not touched — any type of file may be signed and verified.</p>
+<p>Signatures are created using the included <link topic="issigtool">Inno Setup Signature Tool</link> utility (<tt>ISSigTool.exe</tt>) and are stored in separate files with an <tt>.issig</tt> extension. Because the signatures are stored in separate files — the original files are not touched — any type of file may be signed and verified.</p>
 
 <p>Creation of <tt>.issig</tt> signatures does <i>not</i> require a certificate from a certificate authority. There is no cost involved.</p>
 
-<p>Note, however, that an <tt>.issig</tt> signature cannot be used to eliminate an "Unknown publisher" warning message shown by Windows when an installer or other EXE file is started. That requires a completely different kind of signature (Authenticode) embedded inside the EXE file by a different tool (Microsoft's <tt>signtool.exe</tt>), and it does require a (usually expensive) code-signing certificate from a certificate authority.</p>
+<p>Note, however, that an <tt>.issig</tt> signature cannot be used to eliminate an "Unknown publisher" warning message shown by Windows when an installer or other EXE file is started. That requires a completely different kind of signature (Authenticode) embedded inside the EXE file by a different tool (Microsoft's <tt>signtool.exe</tt>), and it does require a (usually expensive) code-signing certificate from a certificate authority. You can however use both <tt>signtool.exe</tt> and <tt>ISSigTool.exe</tt> on a single file, in that order. If you are looking for more information about <tt>signtool.exe</tt> see <link topic="setup_signtool">SignTool</link> instead.</p>
 
 <heading>Quick start: Verifying files at compile time</heading>
 
@@ -3723,9 +3723,7 @@ issigtool verify MyFile.txt
 <keyword value="ISSigTool" />
 <body>
 
-<p>Inno Setup includes a command-line tool, ISSigTool.exe. This tool is designed to sign files using ECDSA P-256 cryptographic signatures.</p>
-
-<p>Note: ISSigTool.exe does not replace Microsoft's signtool.exe in any way and is in fact not related to Authenticode Code Signing at all. If you are looking for more information about this topic see <link topic="setup_signtool">SignTool</link> instead.</p>
+<p>Inno Setup includes a command-line utility, <tt>ISSigTool.exe</tt>. This utility is designed to sign files using ECDSA P-256 cryptographic <link topic="issig">signatures</link>.</p>
 
 <p>Command line usage is as follows:</p>
 
@@ -5924,7 +5922,7 @@ ArchitecturesInstallIn64BitMode=x64compatible
 <setupdefault><tt>yes</tt> if a <link topic="setup_signtool">SignTool</link> is set, <tt>no</tt> otherwise</setupdefault>
 <body>
 <p>Specifies whether the uninstaller program (unins???.exe) should be deployed with a digital signature attached. When the uninstaller has a valid digital signature, users will not see an "unknown publisher" warning when launching it.</p>
-<p>The first time you compile a script with this directive set to <tt>yes</tt>, a uniquely-named copy of the uninstaller EXE file will be created in the directory specified by the <link topic="setup_signeduninstallerdir">SignedUninstallerDir</link> directive (which defaults to the <link topic="setup_outputdir">output directory</link>). Depending on the <link topic="setup_signtool">SignTool</link> setting, you will either then be prompted to attach a digital signature to this file using an external code-signing tool (such as Microsoft's signtool.exe) or the file will be automatically signed on the fly. On subsequent compiles, the signature from the file will be embedded into the compiled installations' uninstallers.</p>
+<p>The first time you compile a script with this directive set to <tt>yes</tt>, a uniquely-named copy of the uninstaller EXE file will be created in the directory specified by the <link topic="setup_signeduninstallerdir">SignedUninstallerDir</link> directive (which defaults to the <link topic="setup_outputdir">output directory</link>). Depending on the <link topic="setup_signtool">SignTool</link> setting, you will either then be prompted to attach a digital signature to this file using an external code-signing tool (such as Microsoft's <tt>signtool.exe</tt>) or the file will be automatically signed on the fly. On subsequent compiles, the signature from the file will be embedded into the compiled installations' uninstallers.</p>
 <p>Upgrading to a newer version of Inno Setup, or changing certain [Setup] section directives that affect the contents of the uninstaller EXE file (such as <link topic="setup_setupiconfile">SetupIconFile</link> and VersionInfo directives), will cause a new file to be created under a different name.</p>
 <p>If a file generated by this directive is deleted, it will be recreated automatically if necessary on the next compile.</p>
 <p>When the uninstaller has a digital signature, Setup will write the messages from the active language into a separate file (unins???.msg). It cannot embed the messages into the EXE file because doing so would invalidate the digital signature.</p>

README.md

@@ -137,9 +137,9 @@ performs all (un)installation-related tasks.
 Setup program into the user's TEMP directory and runs it from there. It also
 displays the "This will install..." and /HELP message boxes.
 
-**ISSigTool** - This is a command-line tool which can be used to sign and verify
+**ISSigTool** - This is a command-line utility which can be used to sign and verify
 any file. Compil32, ISCC, and ISCmplr use these signatures to verify the
-authenticity of a number of DLL files before loading them. Note: this tool does
+authenticity of a number of DLL files before loading them. Note: this utility does
 not replace Microsoft's signtool.exe in any way and is in fact not related to
 Authenticode Code Signing at all.
 

whatsnew.htm

@@ -30,41 +30,48 @@ For conditions of distribution and use, see <a href="files/is/license.txt">LICEN
 <p><b>Want to be notified by e-mail of new Inno Setup releases?</b> <a href="ismail.php">Subscribe</a> to the Inno Setup Mailing List!</p>
 
 <p><a name="6.5.0"></a><span class="ver">6.5.0-dev </span><span class="date">(?)</span></p>
-<span class="head2">Introducing Inno Setup Signature Tool</span>
-<p>A new <tt>[ISSigKeys]</tt> section was added:</p>
+<p>Inno Setup now includes an integrated signature-verification capability that can be used to detect corruption or tampering in files at compile time, before files are included in an installer being built, or during installation, before Setup copies external files onto a user's system.</p>
+<p>Any type of file may be signed and verified and creation of signatures does <i>not</i> require a certificate from a certificate authority. There is no cost involved.</p>
+<p>Note, however, that these signatures cannot be used to eliminate an "Unknown publisher" warning message shown by Windows when an installer or other EXE file is started. That requires a completely different kind of signature (Authenticode) embedded inside the EXE file by a different tool (Microsoft's <tt>signtool.exe</tt>), and it does require a (usually expensive) code-signing certificate from a certificate authority.</p>
+<p>A more detailed summary:</p>
 <ul>
-  <li>Added a new optional <tt>[ISSigKeys]</tt> section for defining keys used by the compiler and Setup to verify file signatures.</li>
-  <li>Supports parameters <tt>Name</tt> (required) and <tt>Group</tt> to identify keys, parameters <tt>KeyFile</tt>, <tt>PublicX</tt>, and <tt>PublicY</tt> to specify the key values, and parameter <tt>KeyID</tt> to double-check the key values.</li>
-  <li>Key files are human-readable and can be created using Inno Setup Signature Tool (see below).</li>
-  <li>Example section:
-    <pre>
-...</pre>
+  <li>New <tt>[ISSigKeys]</tt> section:
+  <ul>
+    <li>Added a new optional <tt>[ISSigKeys]</tt> section for defining keys used by the compiler and Setup to verify file signatures.</li>
+    <li>Supports parameters <tt>Name</tt> (required) and <tt>Group</tt> to identify keys, parameters <tt>KeyFile</tt>, <tt>PublicX</tt>, and <tt>PublicY</tt> to specify the key values, and parameter <tt>KeyID</tt> to double-check the key values.</li>
+    <li>Key files are human-readable and can be created using Inno Setup Signature Tool (see below).</li>
+    <li>Example section:
+      <pre>
+  ...</pre>
+    </li>
+  </ul>
   </li>
+  <li>Extended <tt>[Files]</tt> section:
+  <ul>
+    <li>Added a new <tt>issigverify</tt> flag for enforcing cryptographic signature verification of source files using a key from the <tt>[ISSigKeys]</tt> section, enhancing security during both compilation and installation.</li>
+    <li>When used without the <tt>external</tt> flag, verification is performed during compilation, aborting if it fails. When used with the <tt>external</tt> flag, verification occurs during installation, ensuring the integrity of files as they are copied.</li>
+    <li>Requires an <tt>.issig</tt> signature file to be present in the same directory as the source file. Signature files are human-readable files and can be created using the Inno Setup Signature Tool.</li>
+    <li>Has little performance impact since verification occurs while source files are being compressed/copied; the only extra I/O comes from reading the tiny <tt>.issig</tt> files. This approach also ensures there is no Time-Of-Check to Time-Of-Use (TOCTOU) problem.</li>
+    <li>Can be used to verify downloaded files, offering flexibility over SHA-256 checks as script changes aren't needed for file updates. See the updated <i>CodeDownloadFiles.iss</i> example script for an example.</li>
+    <li>Added a new and optional <tt>ISSigAllowedKeys</tt> parameter to restrict which keys or groups of keys from the <tt>[ISSigKeys]</tt> section are permitted for signature verification using the <tt>issigverify</tt> flag.</li>
+    <li>Note: The <tt>issigverify</tt> flag cannot be combined with the <tt>sign</tt> or <tt>signonce</tt> flags. Use <tt>signcheck</tt> instead.</li>
+    <li>Example section:
+      <pre>
+  ...</pre>
+    </li>
   </ul>
-<p>Changes to <tt>[Files]</tt> section to make use of the new section for verification of files:</p>
-<ul>
-  <li>Added a new <tt>issigverify</tt> flag for enforcing cryptographic signature verification of source files using a key from the <tt>[ISSigKeys]</tt> section, enhancing security during both compilation and installation.</li>
-  <li>When used without the <tt>external</tt> flag, verification is performed during compilation, aborting if it fails. When used with the <tt>external</tt> flag, verification occurs during installation, ensuring the integrity of files as they are copied.</li>
-  <li>Requires an <tt>.issig</tt> signature file to be present in the same directory as the source file. Signature files are human-readable files and can be created using the Inno Setup Signature Tool.</li>
-  <li>Has little performance impact since verification occurs while source files are being compressed/copied; the only extra I/O comes from reading the tiny <tt>.issig</tt> files. This approach also ensures there is no Time-Of-Check to Time-Of-Use (TOCTOU) problem.</li>
-  <li>Can be used to verify downloaded files, offering flexibility over SHA-256 checks as script changes aren't needed for file updates. See the updated <i>CodeDownloadFiles.iss</i> example script for an example.</li>
-  <li>Added a new and optional <tt>ISSigAllowedKeys</tt> parameter to restrict which keys or groups of keys from the <tt>[ISSigKeys]</tt> section are permitted for signature verification using the <tt>issigverify</tt> flag.</li>
-  <li>Note: The <tt>issigverify</tt> flag cannot be combined with the <tt>sign</tt> or <tt>signonce</tt> flags. Use <tt>signcheck</tt> instead.</li>
-  <li>Example section:
-    <pre>
-...</pre>
   </li>
-</ul>
-<p>Inno Setup Signature Tool was added to create signatures:</p>
-<ul>
-  <li>Added ISSigTool.exe, a new command-line tool designed to sign files using ECDSA P-256 cryptographic signatures.</li>
-  <li>Offers commands to sign and verify files, to export public keys and to generate private keys.</li>
-  <li>Note: ISSigTool.exe does not replace Microsoft's signtool.exe in any way and is in fact not related to Authenticode Code Signing at all.</li>
-  <li>Example commands:
-    <pre>issigtool --key-file=MyKey.isprivatekey generate-private-key
+  <li>New Inno Setup Signature Tool:</li>
+  <ul>
+    <li>Added ISSigTool.exe, a new command-line utility designed to sign files using ECDSA P-256 cryptographic signatures.</li>
+    <li>Offers commands to sign and verify files, to export public keys and to generate private keys.</li>
+    <li>Example commands:
+      <pre>issigtool --key-file=MyKey.isprivatekey generate-private-key
 issigtool --key-file=MyKey.isprivatekey sign MyProg.dll
 issigtool --key-file=MyKey.isprivatekey export-public-key MyKey.ispublickey
 issigtool --key-file=MyKey.ispublickey verify MyProg.dll</pre>
+    </li>
+  </ul>
   </li>
 </ul>