I have a IS project that gives a single standalone setup.exe as output.
Later we manually sign this using our proprietary signing tool.
But on performing an uninstall of the installed setup.exe from add or remove program, I get a "UAC Unknown Publisher Warning" prompt.
From forums, I came to know that signing the msi that gets wrapped within the exe is a solution for this.
Again I am aware that this can be achieved by using the signing tab present in Releases view of my IS project by specifying a .spc or .pfx file and its creds (which internally invokes signtool.exe).
But my organisation is not willing to publish out private keys and certs.

Hence is there a way to sign the msi using our proprietary signing tool during the Install Shield build process itself ? (as post building what I get is a single standalone setup.exe file)

One probable way I feel is: Turn on the installshield signing and then write a wrapper script that intercepts the calls to signtool which in turn calls out to the custom tool with the right parameters and then does the signing via the custom sign tool.
Does this make sense as a recommended fix? If so how can I implement it?

IS version used: Install Shield 2013 Premier Edition with Virtualization Pack.

Thanks in advance!