Setting the UAC 'Publisher' Field for a NSIS Installer

Asked 14/5, 2012 at 10:27 Answered 20/9, 2019 at 6:53

When I open my installer(that I created using NSIS), the UAC dialog appears with information about my installer. The field Publisher is 'unknown'. I've heard of digitally signing the application, do you know how to do this in NSIS?

How can I set the field/attribute Publisher to "My Installer" or some other text?

I think the following code is supposed to set the Publisher field but it doesn't, it still remains 'unknown':

InstallDir  "abc"
Name        "def"        
OutFile     "def.exe"

VIProductVersion                 "1.0.0.0"
VIAddVersionKey ProductName      "def"
VIAddVersionKey Comments         "MY DESCRIPTION"
VIAddVersionKey CompanyName      "My Installer"
VIAddVersionKey LegalCopyright   "MY COMPANYNAME"
VIAddVersionKey FileDescription  "MY DESCRIPTION"
VIAddVersionKey FileVersion      1
VIAddVersionKey ProductVersion   1
VIAddVersionKey InternalName     "def"
VIAddVersionKey LegalTrademarks  "PTY LTD"
VIAddVersionKey OriginalFilename "def.exe"

Section
    DetailPrint "Hello World"
SectionEnd

Marauding answered 14/5, 2012 at 10:27 Comment(2)

Unless you want to play with unreleased version of NSIS from svn, you cannot change it easily. See #4244997 – Kakaaba 14/5, 2012 at 11:0

The important thing is that the "publisher" field there is done by digital signing, with the publisher being that of the signature. That then means that you need to buy a signature, to start with. – Wearproof 14/5, 2012 at 12:14

You would have to Authenticode sign the installer with a certificate authority trusted by Windows (If you want to be part of Winqual then you need a special certificate and MS only allows you to use VeriSign) because that field is extracted from the digital certificate (if one exists) and not from the PE version information.

To sign as part of the build process you can use this hack, or if you are using NSIS v3 then you can use the !finalize command.

Abroach answered 14/5, 2012 at 16:11 Comment(5)

Windows 10 showed the field correctly, if the certificate was added with sha1 and sha256 options, as described in https://mcmap.net/q/620080/-setting-the-uac-39-publisher-39-field-for-a-nsis-installer – Fixer 20/9, 2019 at 6:56

@Abroach my nsis installer is marked as malware by windows will signing it will resolve the issue? Also is there any other hack because i don't want to purchase certificate ? – Woll 13/6, 2020 at 8:52

@Woll Are you sure it is marked as malware? Signing will not fix that. Signing (especially EV) will help with Windows smartscreen. If it is detected as malware, submit a false positive report to the anti virus vendor... – Abroach 13/6, 2020 at 9:51

@Abroach will I have to submit the report everytime I make changes in application? And how much time will it take for review and approval? Also will I have to submit the request to all the vendors one by one or is there any way I can submit to centralized repository? – Woll 19/6, 2020 at 17:51

@Woll Check on virustotal to find which products detects you and then basically report to each vendor. But you are now off topic if it is indeed a virus issue. – Abroach 19/6, 2020 at 23:17

To give some more details about that command, these are the lines I have used with version NSIS 3.03 with the !finalize command.

Important: You will need to provide the codesign certificate password inside passwd.txt file placed in same directory as your certificate.pfx file.

!define PRODUCT_NAME "def"
!define PRODUCT_VERSION "1.0.0.0"
!define OutputFileName "def.exe"

Name "${PRODUCT_NAME} ${PRODUCT_VERSION}"
OutFile "${OutputFileName}"
InstallDir "abc"
ShowInstDetails show

!define /file OutFileSignPassword ".\CodeSign\passwd.txt"
!define OutFileSignCertificate ".\CodeSign\certificate.pfx"
!define OutFileSignSHA1   ".\CodeSign\signtool.exe sign /f ${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha1   /t  http://timestamp.comodoca.com /v" 
!define OutFileSignSHA256 ".\CodeSign\signtool.exe sign /f ${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha256 /tr http://timestamp.comodoca.com?td=sha256 /td sha256 /as /v" 

!finalize "PING -n 1 127.0.0.1 >nul"                                # Delay Next Step to ensure File isn't locked by previous Process 
!finalize "${OutFileSignSHA1} .\${OutputFileName}"                  # CodeSigning with SHA1/AuthentiCode 
!finalize "PING -n 5 127.0.0.1 >nul"                                # Delay Next Step to ensure File isn't locked by previous Process 
!finalize "${OutFileSignSHA256} .\${OutputFileName}"                # CodeSigning with SHA256/RFC 3161  

CRCCheck on

Section
    DetailPrint "Hello World"
SectionEnd

After that you will be able to see an output similar to these lines:

The following certificate was selected:
    Issued to: Your Company
    Issued by: COMODO RSA Code Signing CA
    Expires:   Sun Mar 15 00:59:59 2020
    SHA1 hash: 0A12223C465069798D940317273C4F56A9BCC6D9

Done Adding Additional Store
Successfully signed: .\def.exe

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

Waverly answered 8/10, 2018 at 14:50 Comment(0)

It seems to be important to sign the installer file with two signatures, as svcabre implemented it:

Using both sha1 algorithm on the one hand

"c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe"
sign /f "YourCertificateFileHere.pfx" /p YourPasswordHere 
/fd sha1 /t http://timestamp.comodoca.com /v "YourInstallerFilePathHere"

and sha256 on the other hand

"c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" 
sign /f "YourCertificateFileHere.pfx" /p YourPasswordHere 
/fd sha256 /tr http://timestamp.comodoca.com?td=sha256 
/td sha256 /as /v "YourInstallerFilePathHere"

With this option, also windows 10 showed the certificate holder correctly.

Fixer answered 20/9, 2019 at 6:53 Comment(0)

Recommended topics

Hot tags