We use option 1 .pfx approach, as of June 1st 2023 there are new requirements for code signing certificates, once the .pfx expire option 1 is no longer able to be used. 

Starting June 1, 2023, at 00:00 UTC, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This is an industry-wide change no specific to any digital signing vendor.

I have looked into precompression events which would be a workaround by calling signtool.exe directly before packing everything together but that is only available to premier. 

I have attempted to do option 2 specified here but it appears that this does not work, at least with modern HSM signing requirements. https://docs.revenera.com/installshield23helplib/helplibrary/IHelpReleaseDigitalSignature.htm

Are all non-premier users out of luck here?