Use two keys so the prebuilt binaries don't have to be resigned. Note that a full build doesn't work yet at the moment for ISCmplr.dll and ISPP.dll: it calls ISSigTool before signtool is called, making the .issig invalid. Need to figure out a clean way to fix this.

Components/TrustFunc.pas

@@ -25,17 +25,28 @@ begin
 {$IFNDEF TRUSTALL}
   if Result then begin
     try
-      const
-        AllowedPublicKeyText = '''
+      const AllowedPublicKey1Text = '''
+format issig-public-key
+key-id abcdef0ab475e78d6d8a259b08b1a1875d3381ea522eb6928defd15cf4d94808
+public-x acb1f30b47cab5a79e7964df28e52e893dc4d12fd2056811b20a73186576071e
+public-y 2edbc9a82bc94e1a54fe5812cba13e4b1384d46eb5fa0df52c7b80776be1bcb2
+
+''';
+      const AllowedPublicKey2Text = '''
 format issig-public-key
 key-id c2587f3885b12463bafdadb799f23435f26c03944c1afc1716aabc6a43f2426f
 public-x f9a30c72189077370a8846015ac3ec1e9a1cf425d2996d34dc25bd4f4923dd1b
 public-y f754897b7819da5bbbc5ac568311eee922fbea492578748e07f453dc1289c532
 
 ''';
-      const Key = TECDSAKey.Create;
+      var Key1: TECDSAKey := nil;
+      var Key2: TECDSAKey := nil;
       try
-        if ISSigImportKeyText(Key, AllowedPublicKeyText, False) <> ikrSuccess then
+        Key1 := TECDSAKey.Create;
+        if ISSigImportKeyText(Key1, AllowedPublicKey1Text, False) <> ikrSuccess then
+          raise Exception.Create('ISSigImportKeyText failed');
+        Key2 := TECDSAKey.Create;
+        if ISSigImportKeyText(Key2, AllowedPublicKey2Text, False) <> ikrSuccess then
           raise Exception.Create('ISSigImportKeyText failed');
 
         const SigFileName = FileName + '.issig';
@@ -43,7 +54,7 @@ public-y f754897b7819da5bbbc5ac568311eee922fbea492578748e07f453dc1289c532
 
         var ExpectedFileSize: Int64;
         var ExpectedFileHash: TSHA256Digest;
-        if ISSigVerifySignatureText([Key], SigText, ExpectedFileSize,
+        if ISSigVerifySignatureText([Key1, Key2], SigText, ExpectedFileSize,
            ExpectedFileHash) <> vsrSuccess then
           raise Exception.CreateFmt('Signature file "%s" is not valid',
             [SigFileName]);
@@ -60,7 +71,8 @@ public-y f754897b7819da5bbbc5ac568311eee922fbea492578748e07f453dc1289c532
           F.Free;
         end;
       finally
-        Key.Free;
+        Key2.Free;
+        Key1.Free;
       end;
     except
       Result := False;

Files/isbzip.dll.issig

@@ -1,6 +1,6 @@
 format issig-v1
 file-size 39200
 file-hash 8072e83385afc4a84006271a87a11fc0a22b149cbd77322669ca56c470d28ced
-key-id c2587f3885b12463bafdadb799f23435f26c03944c1afc1716aabc6a43f2426f
-sig-r bca59deb05b13ed348a86c2f1a0a122ab7918d3ce9c1f334a0f7e847b2a7d00f
-sig-s 52b92c7186141b28966e68d27e8357bf478c9be3a4200d7622f8aff8789e1339
+key-id abcdef0ab475e78d6d8a259b08b1a1875d3381ea522eb6928defd15cf4d94808
+sig-r 17f616d7564a17b70ae32ca713c05128c63e3d6c03c26f28d259e348323590a3
+sig-s 7c53c7a8dda37c052fafc9208b160115f395e47a670f468fc1921c035df1ff9e

Files/islzma.dll.issig

@@ -1,6 +1,6 @@
 format issig-v1
 file-size 135816
 file-hash b252471e95f0853902b15ae71a90574f9b168f8d4a0c474b20537511f90220a5
-key-id c2587f3885b12463bafdadb799f23435f26c03944c1afc1716aabc6a43f2426f
-sig-r 5fce3235693dde5e7859fba559f7ff2e63e782f7223cdadef3d2a66b67521a34
-sig-s 1799f357e4c8c8938478ccdd7f39695ee4ba31fdee7e70a3d7940e98b59efc9c
+key-id abcdef0ab475e78d6d8a259b08b1a1875d3381ea522eb6928defd15cf4d94808
+sig-r 4f31d30ec6ce54ad997303769bbd98fc38bb9df5f7b48a921bbf701f4b7882f4
+sig-s 540546f1459485b950cebda176af6e8acdbcb1a937b8dd5655fcacc1ea0b0a5c

Files/isscint.dll.issig

@@ -1,6 +1,6 @@
 format issig-v1
 file-size 795776
 file-hash 5ae5dcd47ae9cd0929e0d6b2591e2ecc14cb8dfe4e04fb37a6cef5f1896edd11
-key-id c2587f3885b12463bafdadb799f23435f26c03944c1afc1716aabc6a43f2426f
-sig-r 1c8ae696220689a1654b55c92ebdd7df4ba760f47ff49b8e2e034da15a128745
-sig-s 80d16b8a32537de7fc31c7b24965c27934f949a2a06c5d0de5cfad4ea89b6248
+key-id abcdef0ab475e78d6d8a259b08b1a1875d3381ea522eb6928defd15cf4d94808
+sig-r 54e1968cdddd02a4134a0265447039a7c897b9f6b309593c7a6f6db20e173c47
+sig-s 988ada778f4e3af990f6d988be1251833a4e109238af95d278483993d18d47c5

Files/iszlib.dll.issig

@@ -1,6 +1,6 @@
 format issig-v1
 file-size 34592
 file-hash 14c0d4a2a41572384f8309cdf03de5c6e7ed46bef64cce70d989b2665eff1a47
-key-id c2587f3885b12463bafdadb799f23435f26c03944c1afc1716aabc6a43f2426f
-sig-r dbf63b422c825ffcab7c75cb09d6043964fb1cd10f8943421e382eb1d14a9d8a
-sig-s 8d013d89014aab0345489f5844e29bc521d25c1209450951a134059d9fd8b8c4
+key-id abcdef0ab475e78d6d8a259b08b1a1875d3381ea522eb6928defd15cf4d94808
+sig-r 6f03f9e6177cd72cd780fb55f8623733508ab9da57e9d83c640e5728043b07ed
+sig-s 23fd76c26c085f17f8d0b3364d344771a8553759a07a0276a34ac2b455476a59

issig.bat

@@ -5,14 +5,13 @@ rem  Copyright (C) 1997-2025 Jordan Russell
 rem  Portions by Martijn Laan
 rem  For conditions of distribution and use, see LICENSE.TXT.
 rem
-rem  Batch file to create .issig files required by Inno Setup (and delete any unwanted ones)
+rem  Batch file to create extra .issig files required by Inno Setup
 
 setlocal
 
 cd /d %~dp0
 
 if not "%ISSIGTOOL_KEY_FILE%"=="" goto keyfilefound
-:compilesettingserror
 echo ISSIGTOOL_KEY_FILE is missing or incomplete. It needs to be created
 echo with the following line, adjusted for your system:
 echo.
@@ -31,9 +30,7 @@ rem -------------------------------------------------------------------------
 
 cd Files
 if errorlevel 1 goto failed
-del *.issig
-if errorlevel 1 goto failed
-ISSigTool sign isbzip.dll ISCmplr.dll islzma.dll ISPP.dll isscint.dll iszlib.dll
+ISSigTool sign ISCmplr.dll ISPP.dll
 if errorlevel 1 goto failed
 cd ..
 if errorlevel 1 goto failed

setup.iss

@@ -118,6 +118,7 @@ Source: "files\ISetup.chm"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\ISetup-dark.chm"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\Compil32.exe"; DestDir: "{app}"; Flags: ignoreversion signonce touch
 Source: "files\isscint.dll"; DestDir: "{app}"; Flags: ignoreversion signonce touch
+Source: "files\isscint.dll.issig"; DestDir: "{app}"; Flags: ignoreversion touch
 #ifndef isccexe
   #define isccexe "ISCC.exe"
 #endif
@@ -126,6 +127,7 @@ Source: "files\{#isccexe}"; DestName: "ISCC.exe"; DestDir: "{app}"; Flags: ignor
   #define iscmplrdll "ISCmplr.dll"
 #endif
 Source: "files\{#iscmplrdll}"; DestName: "ISCmplr.dll"; DestDir: "{app}"; Flags: ignoreversion signonce touch
+Source: "files\ISCmplr.dll.issig"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\Setup.e32"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\SetupLdr.e32"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\Default.isl"; DestDir: "{app}"; Flags: ignoreversion touch
@@ -136,13 +138,16 @@ Source: "files\WizClassicImage-IS.bmp"; DestDir: "{app}"; Flags: ignoreversion t
 Source: "files\WizClassicSmallImage.bmp"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\WizClassicSmallImage-IS.bmp"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\iszlib.dll"; DestDir: "{app}"; Flags: ignoreversion signonce touch
+Source: "files\iszlib.dll.issig"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\isunzlib.dll"; DestDir: "{app}"; Flags: ignoreversion signonce touch
 Source: "files\isbzip.dll"; DestDir: "{app}"; Flags: ignoreversion signonce touch
+Source: "files\isbzip.dll.issig"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\isbunzip.dll"; DestDir: "{app}"; Flags: ignoreversion signonce touch
 #ifndef islzmadll
   #define islzmadll "islzma.dll"
 #endif
 Source: "files\{#islzmadll}"; DestName: "islzma.dll"; DestDir: "{app}"; Flags: ignoreversion signonce touch
+Source: "files\islzma.dll.issig"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\islzma32.exe"; DestDir: "{app}"; Flags: ignoreversion signonce touch
 Source: "files\islzma64.exe"; DestDir: "{app}"; Flags: ignoreversion signonce touch
 Source: "whatsnew.htm"; DestDir: "{app}"; Flags: ignoreversion touch
@@ -190,8 +195,8 @@ Source: "Examples\MyDll\Delphi\MyDll.dpr"; DestDir: "{app}\Examples\MyDll\Delphi
   #define isppdll "ispp.dll"
 #endif
 Source: "files\{#isppdll}"; DestName: "ISPP.dll"; DestDir: "{app}"; Flags: ignoreversion signonce touch
+Source: "files\ISPP.dll.issig"; DestDir: "{app}"; Flags: ignoreversion touch
 Source: "files\ISPPBuiltins.iss"; DestDir: "{app}"; Flags: ignoreversion touch
-Source: "files\*.issig"; DestDir: "{app}"; Flags: ignoreversion touch
 
 [INI]
 Filename: "{app}\isfaq.url"; Section: "InternetShortcut"; Key: "URL"; String: "https://jrsoftware.org/isfaq.php"