Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sign NSIS installer on Linux box

Tags:

linux

nsis

Currently I generate an installer for a program using NSIS on a Linux machine. The NSIS binaries have been compiled for Ubuntu, and using the .nsi script presents no difficulties. However, the resulting setup.exe file is unsigned. This results in scary warnings for our users who download the installer via most common web browsers, as well as warnings from Windows itself when run.

We'd like to avoid these warnings, and unless I'm missing something, that requires using a Windows tool to sign the generated setup.exe file. Is there a way to do this on a non-Windows machine?

Unfortunately, each installer is unique (different files are bundled depending on the customer's request, and a unique ID included) so I cannot sign the installer on a Windows machine and then upload it.

like image 516
Thorn G Avatar asked Mar 02 '12 02:03

Thorn G

People also ask

Does NSIS work on Linux?

The NSIS compiler can be compiled for POSIX platforms like Linux and *BSD. Generated installer will still run on Windows only, but this way they can be generated without Windows or WINE.

How do you compile NSIS?

NSIS installers are generated by using the 'MakeNSIS' program to compile a NSIS script (. NSI) into an installer executable. The NSIS development kit installer sets up your computer so that you can compile a . nsi file by simply right-clicking on it in Explorer and selecting 'compile'.

What is a NSIS script?

Nullsoft Scriptable Install System (NSIS) is a script-driven installer authoring tool for Microsoft Windows backed by Nullsoft, the creators of Winamp. NSIS is released under a combination of free software licenses, primarily the zlib license.

2 Answers

Your best choice is probably the use of: osslsigncode. Built easily for me (make sure to have the OpenSSL headers available). It may have difficulties with the kernel mode signing policy, though (embedding the parent certs up to the root) - so you may still have to resort to WINE in the end.

like image 90
0xC0000022L Avatar answered Sep 22 '22 06:09

0xC0000022L

I had to do it a few weeks ago, without using wine. What I did was to import the pfx file to windows and then exported it with "Include all certificates in the certificate path if possible" option. then I followed the instruction on this page .

After you have all the certs (spc and pvk files) you should use the following command:

signcode -spc [spc file] -v [pvk file] -a sha1 -$ commercial -t http://timestamp.verisign.com/scripts/timstamp.dll -tr 10 [exe file to sign]

I had to install mono-dev pack: 

sudo apt-get install mono-devel
like image 42
zenpoy Avatar answered Sep 23 '22 06:09

zenpoy
Sign in to Comment

Related questions

Setting up a workspace using Team Explorer Everywhere on Linux
How to use pthreads barrier?
Rendering an html page and saving it using command line
os.environ doesn't show some variables
udev: device connected at boot time
How to execute a script when xfce session ends
source code for linux shell utility pidof
How to make makefile host dependent?
Same program faster on Linux than Windows -- why?
Java app with URLConnection leads "Too many open files"
How to prevent inheriting CPU affinity by child forked process?
Script to do incremental backups with rsync [closed]
upside-down program in /usr/bin/games
How to view vendor information of my NIC?
Simple makefile for C/C++ targets used with arm-linux-gcc
How to Stop a QThread That Runs a Blocking Forever Loop?
Playing sound in C++ using native system calls?
How are command-line GUIs made? [closed]
Bash pipe and SIGTERM
Calling a PHP script from a C++ Program

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!