-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: sign nsis plugin DLLs #11676
base: dev
Are you sure you want to change the base?
fix: sign nsis plugin DLLs #11676
Conversation
Package Changes Through 9e3ac6eThere are 7 changes which include tauri-bundler with minor, tauri-cli with minor, @tauri-apps/cli with minor, tauri with minor, tauri-runtime with minor, tauri-runtime-wry with minor, tauri-utils with patch Planned Package VersionsThe following package releases are the planned based on the context of changes in this pull request.
Add another change file through the GitHub UI by following this link. Read about change files or the docs at github.com/jbolda/covector |
2821708
to
07f64cf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also add a change file in .changes directory?
2fabf5d
to
b051f75
Compare
Updated |
f564491
to
9e3ac6e
Compare
Just a reminder. I still get many false positive detections and I believe that should fix most of them. Hope you can merge it soon. Update: that's what I do meanwhile: # Import certificate
[IO.File]::WriteAllBytes('cert.pfx', [Convert]::FromBase64String($env:WINDOWS_CERTIFICATE))
Import-PfxCertificate -Exportable -FilePath "cert.pfx" -CertStoreLocation 'cert:\CurrentUser\My' -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)
# Sign resources
$signtoolPath = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\" -Filter "signtool.exe" -Recurse | Where-Object FullName -like "*\x64\signtool.exe" | Select-Object -First 1).FullName
&$signtoolPath sign /f cert.pfx /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 desktop\src-tauri\ffmpeg\bin\x64\*
# Sign nsis plugin DLLs
Get-ChildItem -Path "$env:LOCALAPPDATA\tauri\NSIS\Plugins" -Filter '*.dll' -Recurse | ForEach-Object {
&$signtoolPath sign /f cert.pfx /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName
} |
I noticed now that caching won't work if we sign the plugin files https://github.com/tauri-apps/tauri/blob/dev/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs#L88 It will redownlod them each time we bundle. |
@thewh1teagle then we should copy them next to the generated installer.nsi and sign these copies instead. |
Fix #11673
Now it's signed after bundling:
Log:
This can potentially fix some issues with #2486
Btw I recommend to everyone always sign the exe even with self signed certificate instead of publishing unsigned binaries that usually flagged immediately as a virus by Windows AVs