Announcement

Collapse
No announcement yet.

How to sign an installer with a trusted certificate

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    How to sign an installer with a trusted certificate

    Hi All,

    I'm probably missing something obvious here. I can see s Code Example on signing an uninstaller (http://nsis.sourceforge.net/Signing_an_Uninstaller), but not on signing the actual installer.

    I am running NSIS 3 (specifically rc2), and this package will be used on Window Systems 7 and above. Public Certificate - OK, Signtool. OK (although I am no true developer, per se).

    I see something regarding !finalize in the manual, which seems like it would be the thing to use, although I am not exactly sure how.

    Any pointers welcome.
    Swin
    Tags: None
  • #2
    !finalize 'signtool.exe "%1" ...' where %1 is replaced by the path to the installer, the ...s you have to figure out yourself, you probably want to use a url to a timestamp server and perhaps dual sign with both sha1 and sha2. Ask your cert. authority or read about Authenticode on MSDN...
    IntOp $PostCount $PostCount + 1

    Comment

    • #3
      Thanks Anders, it was the example of calling of a batch file in the Finalize documentation that puzzled me, but I didn't realise it was so obvious (although there is no documentation on the parameters and if one of them should point to a certificate).

      Not sure what a "url to a timestamp server" is, but will endeavour to find out.

      Our cert needs renewing in November, but is is currently sha2 (sha256). I don't think we have a valid sha1 cert anymore.
      Swin

      Comment

      • #4
        Windows 7 needs a update to support sha2 IIRC.

        Timestamping will allow your cert to validate even after it has expired.

        See also:
        * http://stackoverflow.com/questions/2...r-authenticode
        * https://blog.didierstevens.com/2015/...ng-and-sha256/
        * http://social.technet.microsoft.com/...estamping.aspx
        IntOp $PostCount $PostCount + 1

        Comment

        • #5
          To make sure you're application/installer is properly working with all windows versions, you should actually double sign your EXEs.

          I ended up solving this by using the !finalize command a few times...

          PHP Code:
          !define OutFileSignSHA1   ".\CodeSign\SignTool sign /f .\CodeSign\${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha1   /t  http://timestamp.comodoca.com /v"
          !define OutFileSignSHA256 ".\CodeSign\SignTool sign /f .\CodeSign\${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha256 /tr http://timestamp.comodoca.com?td=sha256 /td sha256 /as /v" 
          ...and the actual !finalize commands are...

          PHP Code:
            !finalize "${OutFileSignSHA1} .\${OutputFileName}"                  # CodeSigning with SHA1/AuthentiCode
                      !finalize "PING -n 5 127.0.0.1 >nul"                                # Delay Next Step to ensure File isn't locked by previous Process
                      !finalize "${OutFileSignSHA256} .\${OutputFileName}"                # CodeSigning with SHA256/RFC 3161 
          You'll probably notice the PING command in between, one of the issues I have is that the file may still be locked by a Windows process (virus scan, indexing etc.) once it got signed, the PING adds a consistent delay before doing the 2nd signing.

          Please note, not all time stamping servers support RFC 3161, which you need to properly sign the SHA256 where SHA1 was good with AuthentiCode time stamps...

          Comment

          • #6
            Genius idea using the PING command for a delay!

            Comment

            • #7
              Originally Posted by KennZAney1 View Post
              Genius idea using the PING command for a delay!
              It is a pretty common idiom. Should work everywhere except minimal Win9x installs. Choice.com is available on Win9x (but not NT4?/2000/XP/Vista?)
              IntOp $PostCount $PostCount + 1

              Comment

              Previous template Next
              Working...
              X