8000 fix(bundler): sign DLLs by thewh1teagle · Pull Request #11676 · tauri-apps/tauri · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(bundler): sign DLLs #11676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Apr 13, 2025
Merged

fix(bundler): sign DLLs #11676

merged 18 commits into from
Apr 13, 2025

Conversation

thewh1teagle
Copy link
Contributor
@thewh1teagle thewh1teagle commented Nov 13, 2024
edited
Loading

Fix #11673

Now it's signed after bundling:

Log:

..\..\tauri\target\debug\cargo-tauri.exe bundle
    Signing D:\vibe\target\release\vibe.exe
    Signing D:\vibe\target\release\vibe.exe with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: D:\\vibe\\target\\release\\vibe.exe\r\r\n"
    Warn NSIS directory contains mis-hashed files. Redownloading them.
    Downloading https://github.com/tauri-apps/nsis-tauri-utils/releases/download/nsis_tauri_utils-v0.4.1/nsis_tauri_utils.dll
    Info validating hash
    Info Target: x64
    Info Signing NSIS plugins
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\NSISdl.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\NSISdl.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\NSISdl.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\StartMenu.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\StartMenu.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\StartMenu.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\System.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\System.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\System.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\nsDialogs.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\nsDialogs.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\nsDialogs.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\NSISdl.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\NSISdl.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\NSISdl.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\StartMenu.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\StartMenu.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\StartMenu.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\System.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\System.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\System.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsDialogs.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsDialogs.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\nsDialogs.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsis_tauri_utils.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsis_tauri_utils.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\nsis_tauri_utils.dll\r\r\n"
    Running makensis.exe to produce D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe
Done Adding Additional Store
Successfully signed: C:\Users\User\AppData\Local\Temp\nst3640.tmp
    Signing D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe
    Signing D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: D:\\vibe\\target\\release\\bundle/nsis/vibe_2.6.6_x64-setup.exe\r\r\n"
    Finished 1 bundle at:
        D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe

This can potentially fix some issues with #2486
Btw I recommend to everyone always sign the exe even with self signed certificate instead of publishing unsigned binaries that usually flagged immediately as a virus by Windows AVs

@thewh1teagle thewh1teagle requested a review from a team as a code owner November 13, 2024 13:39
@github-actions GitHub Actions
Copy link
Contributor
github-actions bot commented Nov 13, 2024
edited
Loading

Package Changes Through c3c091b

There are 8 changes which include @tauri-apps/api with minor, tauri with minor, tauri-cli with minor, @tauri-apps/cli with minor, tauri-utils with minor, tauri-bundler with minor, tauri-runtime with minor, tauri-runtime-wry with minor

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package current next
@tauri-apps/api 2.4.1 2.5.0
tauri-utils 2.3.1 2.4.0
tauri-bundler 2.3.1 2.4.0
tauri-runtime 2.5.1 2.6.0
tauri-runtime-wry 2.5.1 2.6.0
tauri-codegen 2.1.1 2.1.2
tauri-macros 2.1.1 2.1.2
tauri-plugin 2.1.1 2.1.2
tauri-build 2.1.1 2.1.2
tauri 2.4.1 2.5.0
@tauri-apps/cli 2.4.1 2.5.0
tauri-cli 2.4.1 2.5.0

Add another change file through the GitHub UI by following this link.

Read about change files or the docs at github.com/jbolda/covector

@thewh1teagle thewh1teagle force-pushed the fix/nsis-sign-plugins branch 2 times, most recently from 2821708 to 07f64cf Compare November 13, 2024 14:07
amrbashir
amrbashir requested changes Nov 14, 2024
View reviewed changes
amrbashir
amrbashir requested changes Nov 14, 2024
View reviewed changes
Copy link
Member
@amrbashir amrbashir left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also add a change file in .changes directory?

@thewh1teagle
Copy link
Contributor Author

Updated

amrbashir
amrbashir requested changes Nov 14, 2024
View reviewed changes
@thewh1teagle
Copy link
Contributor Author
thewh1teagle commented Dec 2, 2024
edited
Loading

Just a reminder. I still get many false positive detections and I believe that should fix most of them. Hope you can merge it soon.

Update: that's what I do meanwhile:

# Import certificate
[IO.File]::WriteAllBytes('cert.pfx', [Convert]::FromBase64String($env:WINDOWS_CERTIFICATE))
Import-PfxCertificate -Exportable -FilePath "cert.pfx" -CertStoreLocation 'cert:\CurrentUser\My' -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)

# Sign resources
$signtoolPath = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\" -Filter "signtool.exe" -Recurse | Where-Object FullName -like "*\x64\signtool.exe" | Select-Object -First 1).FullName
&$signtoolPath sign /f cert.pfx /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 desktop\src-tauri\ffmpeg\bin\x64\*
# Sign nsis plugin DLLs
Get-ChildItem -Path "$env:LOCALAPPDATA\tauri\NSIS\Plugins" -Filter '*.dll' -Recurse | ForEach-Object { 
    &$signtoolPath sign /f cert.pfx /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName
}

@thewh1teagle
Copy link
Contributor Author
thewh1teagle commented Dec 5, 2024
edited
Loading

I noticed now that caching won't work if we sign the plugin files

https://github.com/tauri-apps/tauri/blob/dev/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs#L88

It will redownlod them each time we bundle.
maybe we should cache them in directory derived from the URL

@amrbashir
Copy link
Member

@thewh1teagle then we should copy them next to the generated installer.nsi and sign these copies instead.

@amrbashir amrbashir mentioned this pull request Dec 8, 2024
Closed
@lucasfernog lucasfernog changed the title fix: sign nsis plugin DLLs fix(bundler): sign DLLs Apr 13, 2025
@github-project-automation github-project-automation bot moved this to 📬Proposal in Roadmap Apr 13, 2025
lucasfernog
lucasfernog approved these changes Apr 13, 2025
View reviewed changes
Copy link
Member
@lucasfernog lucasfernog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@lucasfernog lucasfernog merged commit 8d994f6 into tauri-apps:dev Apr 13, 2025
14 checks passed
@github-project-automation github-project-automation bot moved this from 📬Proposal to 🔎 In audit in Roadmap Apr 13, 2025
@github-actions github-actions bot mentioned this pull request Apr 13, 2025
Merged
@linguofeng
Copy link

#13341

linguofeng
linguofeng reviewed May 17, 2025
View reviewed changes
crates/tauri-bundler/src/bundle/windows/nsis/mod.rs
@@ -650,6 +744,10 @@ fn generate_resource_data(settings: &Settings) -> crate::Result<ResourcesMap> {
}
added_resources.push(resource_path.clone());

if settings.can_sign() {
try_sign(&resource_path, settings)?;
Copy link
@linguofeng linguofeng May 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you already identified the code so are you open to creating a PR as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@linguofeng linguofeng linguofeng left review comments

@FabianLars FabianLars FabianLars left review comments

@amrbashir amrbashir amrbashir requested changes

@lucasfernog lucasfernog lucasfernog approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Roadmap
Status: 🔎 In audit
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[bug] nsis plugins aren't signed
5 participants
@thewh1teagle @amrbashir @linguofeng @lucasfernog @FabianLars
0