Old 18th July 2016, 20:06   #1
swinster
Junior Member
 
Join Date: Apr 2008
Posts: 30
How to sign an installer with a trusted certificate

Hi All,

I'm probably missing something obvious here. I can see s Code Example on signing an uninstaller (http://nsis.sourceforge.net/Signing_an_Uninstaller), but not on signing the actual installer.

I am running NSIS 3 (specifically rc2), and this package will be used on Window Systems 7 and above. Public Certificate - OK, Signtool. OK (although I am no true developer, per se).

I see something regarding !finalize in the manual, which seems like it would be the thing to use, although I am not exactly sure how.

Any pointers welcome.

Swin
swinster is offline   Reply With Quote
Old 18th July 2016, 22:34   #2
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,816
!finalize 'signtool.exe "%1" ...' where %1 is replaced by the path to the installer, the ...s you have to figure out yourself, you probably want to use a url to a timestamp server and perhaps dual sign with both sha1 and sha2. Ask your cert. authority or read about Authenticode on MSDN...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 18th July 2016, 22:53   #3
swinster
Junior Member
 
Join Date: Apr 2008
Posts: 30
Thanks Anders, it was the example of calling of a batch file in the Finalize documentation that puzzled me, but I didn't realise it was so obvious (although there is no documentation on the parameters and if one of them should point to a certificate).

Not sure what a "url to a timestamp server" is, but will endeavour to find out.

Our cert needs renewing in November, but is is currently sha2 (sha256). I don't think we have a valid sha1 cert anymore.

Swin
swinster is offline   Reply With Quote
Old 18th July 2016, 23:38   #4
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,816
Windows 7 needs a update to support sha2 IIRC.

Timestamping will allow your cert to validate even after it has expired.

See also:
* http://stackoverflow.com/questions/2...r-authenticode
* https://blog.didierstevens.com/2015/...ng-and-sha256/
* http://social.technet.microsoft.com/...estamping.aspx

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 20th July 2016, 16:51   #5
Theresias
Junior Member
 
Join Date: Jun 2006
Posts: 48
To make sure you're application/installer is properly working with all windows versions, you should actually double sign your EXEs.

I ended up solving this by using the !finalize command a few times...

PHP Code:
!define OutFileSignSHA1   ".\CodeSign\SignTool sign /f .\CodeSign\${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha1   /t  http://timestamp.comodoca.com /v"
!define OutFileSignSHA256 ".\CodeSign\SignTool sign /f .\CodeSign\${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha256 /tr http://timestamp.comodoca.com?td=sha256 /td sha256 /as /v" 
...and the actual !finalize commands are...

PHP Code:
  !finalize "${OutFileSignSHA1} .\${OutputFileName}"                  # CodeSigning with SHA1/AuthentiCode
  
!finalize "PING -n 5 127.0.0.1 >nul"                                # Delay Next Step to ensure File isn't locked by previous Process
  
!finalize "${OutFileSignSHA256} .\${OutputFileName}"                # CodeSigning with SHA256/RFC 3161 
You'll probably notice the PING command in between, one of the issues I have is that the file may still be locked by a Windows process (virus scan, indexing etc.) once it got signed, the PING adds a consistent delay before doing the 2nd signing.

Please note, not all time stamping servers support RFC 3161, which you need to properly sign the SHA256 where SHA1 was good with AuthentiCode time stamps...
Theresias is offline   Reply With Quote
Old 16th April 2018, 14:05   #6
KennZAney1
Junior Member
 
Join Date: Dec 2017
Posts: 1
Genius idea using the PING command for a delay!
KennZAney1 is offline   Reply With Quote
Old 16th April 2018, 14:16   #7
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,816
Quote:
Originally Posted by KennZAney1 View Post
Genius idea using the PING command for a delay!
It is a pretty common idiom. Should work everywhere except minimal Win9x installs. Choice.com is available on Win9x (but not NT4?/2000/XP/Vista?)

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Reply
Go Back   Winamp & SHOUTcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump