Old 15th December 2016, 07:15   #1
alfageme
Junior Member
 
Join Date: Dec 2016
Posts: 2
Signing NSIS uninstaller from Linux script

Hi there! think this is the right place to ask this:

We're using an approach to sign our NSIS installer using osslsigncode after creation of the .exe from our cross-compiler script on Linux, all good. However, we realized this way the uninstaller is not getting signed.

Googling the first results for "Signing an Uninstaller with NSIS" I found this example script but we obviously can't get the tempinstaller to run on Linux. Also found this StackOverflow question asking for the same and no apparent solution yet.

So I came to ask the real deal, the NSIS community. Any ideas on how to portably-sign both the Installer and Uninstaller?

(Thought if the uninstaller was created inside the .zip the .exe is in essence, the easy approach was uncompress->sign_uninstaller->compress->sign_installer; but as all you know, the uninstaller is not there but rather is created from the installer with a few tricks)
alfageme is offline   Reply With Quote
Old 16th December 2016, 08:01   #2
Yathosho
Forum King
 
Yathosho's Avatar
 
Join Date: Jan 2002
Location: AT-DE
Posts: 3,363
With Anders response on StackOverflow in mind – have you considered simply using two scripts/installers, one to install and another to uninstall only?
Yathosho is offline   Reply With Quote
Old 16th December 2016, 11:23   #3
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 881
Yeah, but how do you generate a standalone uninstaller? Surely you have to call WriteUninstaller somewhere to make sure the compiler actually makes one?

Or perhaps making a patch to the source code that disconnects the dependency of the uninstaller from the installer exehead, which would allow for the uninstaller to be signed and then added to the datablock as a whole file. I realize this would add the size of the exehead + signature to the install size, but the tradeoff would be a platform-agnostic way of signing both the installer and uninstaller. Perhaps !uninstfinalize?

Maybe I can write a patch to do this, the exehead WriteUninstaller code would be moved into the compiler, and the exehead code would become a straight file extract. The compiler would have to write the uninstaller exehead to a file followed by writing the uninstall script data, run !uninstfinalize to sign it, and add the resulting file to the datablock.

Really for me to write this patch depends on if a patch like this would be accepted by the NSIS developers. Or I could just write the patch anyway and let them make the decision. What do you think Anders?

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old 16th December 2016, 16:11   #4
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,165
Sounds good in theory. Don't know how easy it is to pull off though.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 21st December 2016, 08:55   #5
alfageme
Junior Member
 
Join Date: Dec 2016
Posts: 2
Sorry for the late reply guys! Thank you all so much for your help.

@Yathosho Yup, I'm open to every option, but not knowing NSIS internals, I decided to ask first as It didn't looked trivial to me; as I said, I thought the uninstaller was going to be stored inside the exe itself. Once I locate the uninstaller inside the installer, signing it would be just replicate what we do with the installer.

Again, thank you very much guys!

@JasonFriday13 I'll definitely use the "experimental" patch and share the results of it. We use the script from a Dockerfile, so anything that favors having the same config in most of the pipeline and just modifying the NSIS script would be amazing.
alfageme is offline   Reply With Quote
Old 21st December 2016, 09:19   #6
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 881
Quote:
Originally Posted by alfageme View Post
@Yathosho Yup, I'm open to every option, but not knowing NSIS internals, I decided to ask first as It didn't looked trivial to me; as I said, I thought the uninstaller was going to be stored inside the exe itself. Once I locate the uninstaller inside the installer, signing it would be just replicate what we do with the installer.
The exehead is shared between the installer and uninstaller, and the uninstall script and icons are separate. This saves a whole exehead worth of data (about 40kb).

Quote:
Originally Posted by alfageme View Post
@JasonFriday13 I'll definitely use the "experimental" patch and share the results of it. We use the script from a Dockerfile, so anything that favors having the same config in most of the pipeline and just modifying the NSIS script would be amazing.
I've already written it, check out https://sourceforge.net/p/nsis/patches/280/.

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old 1st February 2017, 21:31   #7
kalverson
Senior Member
 
Join Date: May 2007
Location: Maple Grove, Minnesota
Posts: 134
I had to do this for Microsoft Certification because everything needed to be digitally signed to pass including the uninstall executable. I just created a new install called makeuninstaller.exe that creates the actual uninstall executable. The Ant script calls the make first, signs the output exe and includes it in the actual build of the program being distributed.
kalverson is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Tags
signing, uninstaller

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump