Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: sign nsis plugin DLLs #11676

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

fix: sign nsis plugin DLLs #11676

wants to merge 1 commit into from
+20 −0

Conversation

thewh1teagle
Copy link
Contributor

@thewh1teagle thewh1teagle commented Nov 13, 2024
edited
Loading

Fix #11673

Now it's signed after bundling:

Log:

..\..\tauri\target\debug\cargo-tauri.exe bundle
    Signing D:\vibe\target\release\vibe.exe
    Signing D:\vibe\target\release\vibe.exe with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: D:\\vibe\\target\\release\\vibe.exe\r\r\n"
    Warn NSIS directory contains mis-hashed files. Redownloading them.
    Downloading https://github.com/tauri-apps/nsis-tauri-utils/releases/download/nsis_tauri_utils-v0.4.1/nsis_tauri_utils.dll
    Info validating hash
    Info Target: x64
    Info Signing NSIS plugins
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\NSISdl.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\NSISdl.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\NSISdl.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\StartMenu.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\StartMenu.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\StartMenu.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\System.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\System.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\System.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\nsDialogs.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\nsDialogs.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\nsDialogs.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\NSISdl.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\NSISdl.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\NSISdl.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\StartMenu.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\StartMenu.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\StartMenu.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\System.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\System.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\System.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsDialogs.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsDialogs.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\nsDialogs.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsis_tauri_utils.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsis_tauri_utils.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\nsis_tauri_utils.dll\r\r\n"
    Running makensis.exe to produce D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe
Done Adding Additional Store
Successfully signed: C:\Users\User\AppData\Local\Temp\nst3640.tmp
    Signing D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe
    Signing D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: D:\\vibe\\target\\release\\bundle/nsis/vibe_2.6.6_x64-setup.exe\r\r\n"
    Finished 1 bundle at:
        D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe

This can potentially fix some issues with #2486
Btw I recommend to everyone always sign the exe even with self signed certificate instead of publishing unsigned binaries that usually flagged immediately as a virus by Windows AVs

@thewh1teagle thewh1teagle requested a review from a team as a code owner November 13, 2024 13:39
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 13, 2024
edited
Loading

Package Changes Through 9e3ac6e

There are 7 changes which include tauri-bundler with minor, tauri-cli with minor, @tauri-apps/cli with minor, tauri with minor, tauri-runtime with minor, tauri-runtime-wry with minor, tauri-utils with patch

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package current next
tauri-utils 2.1.0 2.1.1
tauri-bundler 2.1.0 2.2.0
tauri-runtime 2.2.0 2.3.0
tauri-runtime-wry 2.2.0 2.3.0
tauri-codegen 2.0.3 2.0.4
tauri-macros 2.0.3 2.0.4
tauri-plugin 2.0.3 2.0.4
tauri-build 2.0.3 2.0.4
tauri 2.1.1 2.2.0
@tauri-apps/cli 2.1.0 2.2.0
tauri-cli 2.1.0 2.2.0

Add another change file through the GitHub UI by following this link.

Read about change files or the docs at github.com/jbolda/covector

@thewh1teagle thewh1teagle force-pushed the fix/nsis-sign-plugins branch 2 times, most recently from 2821708 to 07f64cf Compare November 13, 2024 14:07
amrbashir
amrbashir requested changes Nov 14, 2024
View reviewed changes
Copy link
Member

@amrbashir amrbashir left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also add a change file in .changes directory?

crates/tauri-bundler/src/bundle/windows/nsis/mod.rs Outdated Show resolved Hide resolved
crates/tauri-bundler/src/bundle/windows/nsis/mod.rs Outdated Show resolved Hide resolved
@thewh1teagle
Copy link
Contributor Author

Updated

@thewh1teagle
Copy link
Contributor Author

thewh1teagle commented Dec 2, 2024
edited
Loading

Just a reminder. I still get many false positive detections and I believe that should fix most of them. Hope you can merge it soon.

Update: that's what I do meanwhile:

# Import certificate
[IO.File]::WriteAllBytes('cert.pfx', [Convert]::FromBase64String($env:WINDOWS_CERTIFICATE))
Import-PfxCertificate -Exportable -FilePath "cert.pfx" -CertStoreLocation 'cert:\CurrentUser\My' -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)

# Sign resources
$signtoolPath = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\" -Filter "signtool.exe" -Recurse | Where-Object FullName -like "*\x64\signtool.exe" | Select-Object -First 1).FullName
&$signtoolPath sign /f cert.pfx /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 desktop\src-tauri\ffmpeg\bin\x64\*
# Sign nsis plugin DLLs
Get-ChildItem -Path "$env:LOCALAPPDATA\tauri\NSIS\Plugins" -Filter '*.dll' -Recurse | ForEach-Object { 
    &$signtoolPath sign /f cert.pfx /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName
}

@thewh1teagle
Copy link
Contributor Author

thewh1teagle commented Dec 5, 2024
edited
Loading

I noticed now that caching won't work if we sign the plugin files

https://github.com/tauri-apps/tauri/blob/dev/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs#L88

It will redownlod them each time we bundle.
maybe we should cache them in directory derived from the URL

@amrbashir
Copy link
Member

@thewh1teagle then we should copy them next to the generated installer.nsi and sign these copies instead.

@amrbashir amrbashir mentioned this pull request Dec 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amrbashir amrbashir amrbashir requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[bug] nsis plugins aren't signed
2 participants
@thewh1teagle @amrbashir