The signature was being applied outside of Wise, through our build process. We use FinalBuilder to build all of our applications and it has a handy Authenticode action for applying an Authenticode signature to the target you specify. If I disabled that action, the installer worked.
Wise has the ability to sign it’s executables, but that version is hard coded to use Microsoft’s signcode executable to handle the actually signing. Microsoft has deprecated signcode in favor of signtool and I didn’t have a copy of signcode laying around. In all likelihood, the current version of Wise’s script based installer would be able to use signtool, but I can’t use the current version because they broke other, more important things.
After a fair amount of googling, I found an old copy of signcode on Thawte’s site on this page. I downloaded the file set and extracted signcode and placed it in my \windows folder. I fired up Wise and went to the “Digital Signature” page in the IDE. That’s when I saw the blindingly obvious setting that I needed to set:
On the “Digital Signature” in the Wise Installation System IDE, make sure that the radio button labeled “Add a digital signature externally” has been checked. Once I made that change, everything worked.