Signing an Uninstaller: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 4: Line 4:


The answer is to run the installer on the development machine in a special mode which *only* writes the uninstaller to some known location, then sign that binary in the usual way, and finally package the signed uninstaller using a normal File command rather than WriteUninstaller.
The answer is to run the installer on the development machine in a special mode which *only* writes the uninstaller to some known location, then sign that binary in the usual way, and finally package the signed uninstaller using a normal File command rather than WriteUninstaller.
<highlight-nsis>
!ifdef INNER
  !echo "Inner invocation"                  ; just to see what's going on
  OutFile "$%TEMP%\tempinstaller.exe"      ; not really important where this is
  SetCompress off                          ; for speed
!else
  !echo "Outer invocation"
  !system "$\"${NSISDIR}\makensis$\" /DINNER <name_of_script>.nsi" = 0
  !system "$%TEMP%\tempinstaller.exe /z" = 2
  !system "SIGNCODE <signing options> $%TEMP%\uninstaller.exe" = 0
  OutFile "my_real_installer.exe"
  SetCompressor /SOLID lzma
!endif
...
Function .onInit
!ifdef INNER
  WriteUninstaller "$%TEMP%\uninstaller.exe"
  Quit  ; just bail out quickly when running the "inner" installer
!endif
...[the rest of your normal .onInit]...
FunctionEnd
...
Section "Files" ; or whatever
...
  ; where you would normally put WriteUninstaller ${INSTDIR}\uninstaller.exe put instead:
!ifndef INNER
  SetOutPath $INSTDIR
  File $%TEMP%\uninstaller.exe
!endif
...
SectionEnd
!ifdef INNER
Section "Uninstall"
  ; your normal uninstaller section or sections (they're not needed in the "outer" installer
SectionEnd
!endif
</highlight-nsis>

Revision as of 16:57, 19 April 2007

Especially under Windows Vista, installer/uninstaller binaries need to be signed to avoid alarming looking dialog boxes with dire warnings about "unknown publishers" etc.

This presents a difficulty in that the uninstaller binary would normally never be present on your development/packaging machine, only being written onto the target machine at install time. So how can you sign it?

The answer is to run the installer on the development machine in a special mode which *only* writes the uninstaller to some known location, then sign that binary in the usual way, and finally package the signed uninstaller using a normal File command rather than WriteUninstaller.

!ifdef INNER
  !echo "Inner invocation"                  ; just to see what's going on
  OutFile "$%TEMP%\tempinstaller.exe"       ; not really important where this is
  SetCompress off                           ; for speed
!else
  !echo "Outer invocation"
  !system "$\"${NSISDIR}\makensis$\" /DINNER <name_of_script>.nsi" = 0
  !system "$%TEMP%\tempinstaller.exe /z" = 2
  !system "SIGNCODE <signing options> $%TEMP%\uninstaller.exe" = 0
  OutFile "my_real_installer.exe"
  SetCompressor /SOLID lzma
!endif
 
...
 
Function .onInit
!ifdef INNER
  WriteUninstaller "$%TEMP%\uninstaller.exe"
  Quit  ; just bail out quickly when running the "inner" installer
!endif
 
...[the rest of your normal .onInit]...
FunctionEnd
 
...
 
Section "Files" ; or whatever
 
...
 
  ; where you would normally put WriteUninstaller ${INSTDIR}\uninstaller.exe put instead:
 
!ifndef INNER
  SetOutPath $INSTDIR
  File $%TEMP%\uninstaller.exe
!endif
 
...
SectionEnd
 
!ifdef INNER
Section "Uninstall"
 
  ; your normal uninstaller section or sections (they're not needed in the "outer" installer
 
SectionEnd
!endif