Simplify part of the embed mechanism for the second key. Also use .txt extension for easy linking to it, like from the website.

This would be the link to use to show the key for the main download:
https://jrsoftware.github.io/issrc/def02.ispublickey.txt

build-ce.bat

@@ -40,7 +40,7 @@ if not exist files\issigtool.exe (
 
 rem  Verify precompiled binaries which are used during compilation
 rem  Note: Other precompiled binaries are verified by Setup.iss
-call .\issig.bat verify --key-file=def01.ispublickey ^
+call .\issig.bat verify --key-file=def01.ispublickey.txt ^
   Projects\Src\Setup.HelperEXEs.res ^
   Projects\Src\Compression.LZMADecompressor\Lzma2Decode\ISLzmaDec.obj ^
   Projects\Src\Compression.LZMA1SmallDecompressor\LzmaDecode\LzmaDecodeInno.obj ^

build.bat

@@ -57,7 +57,7 @@ if not exist files\issigtool.exe (
 
 rem  Verify precompiled binaries which are used during compilation
 rem  Note: Other precompiled binaries are verified by Setup.iss
-call .\issig.bat verify --key-file=def01.ispublickey ^
+call .\issig.bat verify --key-file=def01.ispublickey.txt ^
   Projects\Src\Setup.HelperEXEs.res ^
   Projects\Src\Compression.LZMADecompressor\Lzma2Decode\ISLzmaDec.obj ^
   Projects\Src\Compression.LZMA1SmallDecompressor\LzmaDecode\LzmaDecodeInno.obj ^

def02.ispublickey.txt

@@ -0,0 +1,4 @@
+format issig-public-key
+key-id def020edee3c4835fd54d85eff8b66d4d899b22a777353ca4a114b652e5e7a28
+public-x 515dc7d6c16d4a46272ceb3d158c5630a96466ab4d948e72c2029d737c823097
+public-y f3c21f6b5156c52a35f6f28016ee3e31a3ded60c325b81fb7b1f88c221081a61

issig.bat

@@ -48,7 +48,7 @@ if "%1"=="verify" goto signorverify
 if not "%1"=="" goto failed
 
 :embed
-set publickeyfile=_temp.ispublickey
+set publickeyfile=def02.ispublickey.txt
 Files\ISSigTool.exe export-public-key "%publickeyfile%"
 if errorlevel 1 goto failed
 if not exist "%publickeyfile%" goto failed
@@ -56,12 +56,6 @@ set targetfile=Components\TrustFunc.AllowedPublicKeys.inc
 if not exist "%targetfile%" goto failed
 powershell.exe -NoProfile -Command "$filePath = '%targetfile%'; $replacementFilePath = '%publickeyfile%'; $startMarker = 'AllowedPublicKey2Text :='; $endMarker = ';'; try { $content = Get-Content -Raw -Path $filePath; $replacementText = Get-Content -Raw -Path $replacementFilePath; $replacementText = $replacementText -replace \"`r`n\", \"' + #13#10 +`r`n'\"; $replacementText = \"'\" + $replacementText + \"'\"; $replacementText = $replacementText -replace \" \+`r`n''\", \"\"; [string] $pattern = '(?s)' + [regex]::Escape($startMarker) + '.*?' + [regex]::Escape($endMarker); if ($content -match $pattern) { $replacement = $startMarker + \"`r`n\" + $replacementText  + $endMarker; $newContent = $content -replace $pattern, $replacement; $utf8NoBomEncoding = New-Object System.Text.UTF8Encoding($false); [System.IO.File]::WriteAllText($filePath, $newContent, $utf8NoBomEncoding); Write-Host \"Embedded public key in $filePath.\"; } else { Write-Host \"Pattern not found in $filePath.\"; exit 1; } } catch { Write-Error (\"Error: $_.Exception.Message\"); exit 1; }"
 if errorlevel 1 goto failed
-set targetfile=setup.allowedpublickeys.iss
-if not exist "%targetfile%" goto failed
-powershell.exe -NoProfile -Command "$filePath = '%targetfile%'; $replacementFilePath = '%publickeyfile%'; $startMarker = 'Name: mykey2; '; try { $content = Get-Content -Raw -Path $filePath; $replacementText = Get-Content -Raw -Path $replacementFilePath; $replacementText = $replacementText -replace \"`r`n\", \"; \"; $replacementText = $replacementText.Substring(0, $replacementText.Length - 2); $replacementText = $replacementText -replace 'format issig-public-key; key-id', 'KeyID:'; $replacementText = $replacementText -replace 'public-x', 'PublicX:'; $replacementText = $replacementText -replace 'public-y', 'PublicY:'; [string] $pattern = [regex]::Escape($startMarker) + '.*?$'; if ($content -match $pattern) { $replacement = $startMarker + $replacementText; $newContent = $content -replace $pattern, $replacement; $utf8NoBomEncoding = New-Object System.Text.UTF8Encoding($false); [System.IO.File]::WriteAllText($filePath, $newContent, $utf8NoBomEncoding); Write-Host \"Embedded public key in $filePath.\"; } else { Write-Host \"Pattern not found in $filePath.\"; exit 1; } } catch { Write-Error (\"Error: $_.Exception.Message\"); exit 1; }"
-if errorlevel 1 goto failed
-del "%publickeyfile%"
-if errorlevel 1 goto failed
 
 echo Success!
 goto exit

setup.allowedpublickeys.iss

@@ -1,7 +1,7 @@
 // -- Setup.AllowedPublicKeys.iss --
-// The second key in this file should be replaced by your own and this will happen automatically when using build.bat or build-ce.bat
+// The contents of the second keyfile should be replaced by your own and this will happen automatically when using build.bat or build-ce.bat
 // To ignore this change consider using Git's assume-unchanged or skip-worktree functionality
 //
 [ISSigKeys]
-Name: mykey1; KeyID: def0147c3bbc17ab99bf7b7a9c2de1390283f38972152418d7c2a4a7d7131a38; KeyFile: {#__DIR__}\def01.ispublickey
-Name: mykey2; KeyID: def020edee3c4835fd54d85eff8b66d4d899b22a777353ca4a114b652e5e7a28; PublicX: 515dc7d6c16d4a46272ceb3d158c5630a96466ab4d948e72c2029d737c823097; PublicY: f3c21f6b5156c52a35f6f28016ee3e31a3ded60c325b81fb7b1f88c221081a61
+Name: mykey1; KeyID: def0147c3bbc17ab99bf7b7a9c2de1390283f38972152418d7c2a4a7d7131a38; KeyFile: {#__DIR__}\def01.ispublickey.txt
+Name: mykey2; KeyID: def020edee3c4835fd54d85eff8b66d4d899b22a777353ca4a114b652e5e7a28; PublicX: {#__DIR__}\def02.ispublickey.txt