There are three files signed during a single build, so you would be prompted three times... or multiples, if you are building a set of installers (as in different build configurations for a single product). I don't believe that this method would be very comfortable, even if there is a way to ask for the password repeatedly during the build.

If for any reason you don't want to store the password in the project file, you could use a build constant instead. The parameter for SignTool.exe or kSignCMD.exe could be something like "/p #PFXPASSWD#", and while you set up some default value for this constant in the Build Settings, the proper value is provided via the external INI file.
Perhaps this fits your needs?

Ulrich