Login/Register
Sign NSIS installer on Linux box [closed]
Asked Answered
Solved linuxnsis
D

3

8

Currently I generate an installer for a program using NSIS on a Linux machine. The NSIS binaries have been compiled for Ubuntu, and using the .nsi script presents no difficulties. However, the resulting setup.exe file is unsigned. This results in scary warnings for our users who download the installer via most common web browsers, as well as warnings from Windows itself when run.

We'd like to avoid these warnings, and unless I'm missing something, that requires using a Windows tool to sign the generated setup.exe file. Is there a way to do this on a non-Windows machine?

Unfortunately, each installer is unique (different files are bundled depending on the customer's request, and a unique ID included) so I cannot sign the installer on a Windows machine and then upload it.

Dele answered 2/3, 2012 at 2:26 Comment(0)
M
1

I had to do it a few weeks ago, without using wine. What I did was to import the pfx file to windows and then exported it with "Include all certificates in the certificate path if possible" option. then I followed the instruction on this page .

After you have all the certs (spc and pvk files) you should use the following command:

signcode -spc [spc file] -v [pvk file] -a sha1 -$ commercial -t http://timestamp.verisign.com/scripts/timstamp.dll -tr 10 [exe file to sign]

I had to install mono-dev pack: 

sudo apt-get install mono-devel
Monophthong answered 4/3, 2012 at 15:47 Comment(3)
OpenSSL reports that -pvk-strong is an unknown option. I attempted omitting it, but I encounter an error when running signcode; it prompts for a passphrase. I assumed this would be the same one I used when exporting the certificate from Windows, but this does not work. Where am I going astray?Dele
Turns out downloading the latest version of OpenSSL and building it got rid of that error. Dunno why Ubuntu doesn't have that in apt. :(Dele
@Tom G: because they try to keep things stable. More so on the LTS release channel. Debian is even more conservative.Mayolamayon
M
7

Your best choice is probably the use of: osslsigncode. Built easily for me (make sure to have the OpenSSL headers available). It may have difficulties with the kernel mode signing policy, though (embedding the parent certs up to the root) - so you may still have to resort to WINE in the end.

Mayolamayon answered 2/3, 2012 at 3:51 Comment(1)
osslsigncode worked for me. Now I'm able to sign exes using a pfx, thanks.Gesner
M
1

I had to do it a few weeks ago, without using wine. What I did was to import the pfx file to windows and then exported it with "Include all certificates in the certificate path if possible" option. then I followed the instruction on this page .

After you have all the certs (spc and pvk files) you should use the following command:

signcode -spc [spc file] -v [pvk file] -a sha1 -$ commercial -t http://timestamp.verisign.com/scripts/timstamp.dll -tr 10 [exe file to sign]

I had to install mono-dev pack: 

sudo apt-get install mono-devel
Monophthong answered 4/3, 2012 at 15:47 Comment(3)
OpenSSL reports that -pvk-strong is an unknown option. I attempted omitting it, but I encounter an error when running signcode; it prompts for a passphrase. I assumed this would be the same one I used when exporting the certificate from Windows, but this does not work. Where am I going astray?Dele
Turns out downloading the latest version of OpenSSL and building it got rid of that error. Dunno why Ubuntu doesn't have that in apt. :(Dele
@Tom G: because they try to keep things stable. More so on the LTS release channel. Debian is even more conservative.Mayolamayon
D
0

Signing files for Windows uses Microsoft Authenticode signatures. There is a tool in the SDK that signs Executables and DLLs (signtool.exe). You might be able to run that using Wine.

It's also possible to sign files through Windows API calls - these functions might be implemented in Wine aswell, but I sort of doubt it because Authenticode is only used and implemented by Microsoft (as far as I know).

However this tool doesn't to very much - it basically appends the certificate and a signed timestamp at the end of the file. There might exist adaptations for Linux aswell.

Here is a link to someone who got it working using signcode.

Daughter answered 2/3, 2012 at 2:30 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.