Signing NSIS uninstaller from Linux script

alfageme · 15th December 2016, 07:15

Hi there! think this is the right place to ask this:

We're using an approach to sign our NSIS installer using osslsigncode after creation of the .exe from our cross-compiler script on Linux, all good. However, we realized this way the uninstaller is not getting signed.

Googling the first results for "Signing an Uninstaller with NSIS" I found this example script but we obviously can't get the tempinstaller to run on Linux. Also found this StackOverflow question asking for the same and no apparent solution yet.

So I came to ask the real deal, the NSIS community. Any ideas on how to portably-sign both the Installer and Uninstaller?

(Thought if the uninstaller was created inside the .zip the .exe is in essence, the easy approach was uncompress->sign_uninstaller->compress->sign_installer; but as all you know, the uninstaller is not there but rather is created from the installer with a few tricks)

Yathosho · 16th December 2016, 08:01

With Anders response on StackOverflow in mind – have you considered simply using two scripts/installers, one to install and another to uninstall only?

JasonFriday13 · 16th December 2016, 11:23

Yeah, but how do you generate a standalone uninstaller? Surely you have to call WriteUninstaller somewhere to make sure the compiler actually makes one?

Or perhaps making a patch to the source code that disconnects the dependency of the uninstaller from the installer exehead, which would allow for the uninstaller to be signed and then added to the datablock as a whole file. I realize this would add the size of the exehead + signature to the install size, but the tradeoff would be a platform-agnostic way of signing both the installer and uninstaller. Perhaps !uninstfinalize?

Maybe I can write a patch to do this, the exehead WriteUninstaller code would be moved into the compiler, and the exehead code would become a straight file extract. The compiler would have to write the uninstaller exehead to a file followed by writing the uninstall script data, run !uninstfinalize to sign it, and add the resulting file to the datablock.

Really for me to write this patch depends on if a patch like this would be accepted by the NSIS developers. Or I could just write the patch anyway and let them make the decision. What do you think Anders?

Anders · 16th December 2016, 16:11

Sounds good in theory. Don't know how easy it is to pull off though.

alfageme · 21st December 2016, 08:55

Sorry for the late reply guys! Thank you all so much for your help.

@Yathosho Yup, I'm open to every option, but not knowing NSIS internals, I decided to ask first as It didn't looked trivial to me; as I said, I thought the uninstaller was going to be stored inside the exe itself. Once I locate the uninstaller inside the installer, signing it would be just replicate what we do with the installer.

Again, thank you very much guys!

@JasonFriday13 I'll definitely use the "experimental" patch and share the results of it. We use the script from a Dockerfile, so anything that favors having the same config in most of the pipeline and just modifying the NSIS script would be amazing.

JasonFriday13 · 21st December 2016, 09:19

Quote:

Originally Posted by alfageme

@Yathosho Yup, I'm open to every option, but not knowing NSIS internals, I decided to ask first as It didn't looked trivial to me; as I said, I thought the uninstaller was going to be stored inside the exe itself. Once I locate the uninstaller inside the installer, signing it would be just replicate what we do with the installer.

The exehead is shared between the installer and uninstaller, and the uninstall script and icons are separate. This saves a whole exehead worth of data (about 40kb).

Quote:

Originally Posted by alfageme

@JasonFriday13 I'll definitely use the "experimental" patch and share the results of it. We use the script from a Dockerfile, so anything that favors having the same config in most of the pipeline and just modifying the NSIS script would be amazing.

I've already written it, check out https://sourceforge.net/p/nsis/patches/280/.

kalverson · 1st February 2017, 21:31

I had to do this for Microsoft Certification because everything needed to be digitally signed to pass including the uninstall executable. I just created a new install called makeuninstaller.exe that creates the actual uninstall executable. The Ant script calls the make first, signs the output exe and includes it in the actual build of the program being distributed.

15th December 2016, 07:15	#1
alfageme Junior Member Join Date: Dec 2016 Posts: 2	Signing NSIS uninstaller from Linux script Hi there! think this is the right place to ask this: We're using an approach to sign our NSIS installer using osslsigncode after creation of the .exe from our cross-compiler script on Linux, all good. However, we realized this way the uninstaller is not getting signed. Googling the first results for "Signing an Uninstaller with NSIS" I found this example script but we obviously can't get the tempinstaller to run on Linux. Also found this StackOverflow question asking for the same and no apparent solution yet. So I came to ask the real deal, the NSIS community. Any ideas on how to portably-sign both the Installer and Uninstaller? (Thought if the uninstaller was created inside the .zip the .exe is in essence, the easy approach was uncompress->sign_uninstaller->compress->sign_installer; but as all you know, the uninstaller is not there but rather is created from the installer with a few tricks)

16th December 2016, 08:01	#2
Yathosho Forum King Join Date: Jan 2002 Location: AT-DE Posts: 3,366	With Anders response on StackOverflow in mind – have you considered simply using two scripts/installers, one to install and another to uninstall only? NSIS IDE for Atom \| NSIS for Visual Studio Code \| NSIS for Sublime Text \| NSIS.docset

16th December 2016, 11:23	#3
JasonFriday13 Major Dude Join Date: May 2005 Location: New Zealand Posts: 907	Yeah, but how do you generate a standalone uninstaller? Surely you have to call WriteUninstaller somewhere to make sure the compiler actually makes one? Or perhaps making a patch to the source code that disconnects the dependency of the uninstaller from the installer exehead, which would allow for the uninstaller to be signed and then added to the datablock as a whole file. I realize this would add the size of the exehead + signature to the install size, but the tradeoff would be a platform-agnostic way of signing both the installer and uninstaller. Perhaps !uninstfinalize? Maybe I can write a patch to do this, the exehead WriteUninstaller code would be moved into the compiler, and the exehead code would become a straight file extract. The compiler would have to write the uninstaller exehead to a file followed by writing the uninstall script data, run !uninstfinalize to sign it, and add the resulting file to the datablock. Really for me to write this patch depends on if a patch like this would be accepted by the NSIS developers. Or I could just write the patch anyway and let them make the decision. What do you think Anders? "Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me) NSIS 3 POSIX Ninja Wiki Profile

16th December 2016, 16:11	#4
Anders Moderator Join Date: Jun 2002 Location: ${NSISDIR} Posts: 5,358	Sounds good in theory. Don't know how easy it is to pull off though. IntOp $PostCount $PostCount + 1

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

21st December 2016, 08:55	#5
alfageme Junior Member Join Date: Dec 2016 Posts: 2	Sorry for the late reply guys! Thank you all so much for your help. @Yathosho Yup, I'm open to every option, but not knowing NSIS internals, I decided to ask first as It didn't looked trivial to me; as I said, I thought the uninstaller was going to be stored inside the exe itself. Once I locate the uninstaller inside the installer, signing it would be just replicate what we do with the installer. Again, thank you very much guys! @JasonFriday13 I'll definitely use the "experimental" patch and share the results of it. We use the script from a Dockerfile, so anything that favors having the same config in most of the pipeline and just modifying the NSIS script would be amazing.

1st February 2017, 21:31	#7
kalverson Senior Member Join Date: May 2007 Location: Maple Grove, Minnesota Posts: 134	I had to do this for Microsoft Certification because everything needed to be digitally signed to pass including the uninstall executable. I just created a new install called makeuninstaller.exe that creates the actual uninstall executable. The Ant script calls the make first, signs the output exe and includes it in the actual build of the program being distributed.