Another naive question about code signing

Graham Samuel livfoss at mac.com
Sun Jan 15 12:53:16 EST 2017


I’m just using Innosetup on its own, under Windows 7. This works fine, in the sense that all the installers I’ve ever created do exactly what I want them to do (apart from launching the program immediately after installation, which I’ve had to switch off). My problem comes with the code signing part. My ambition is that the installer should work without a single squawk from either Windows or the installed virus checker (in my case Norton, but who knows what the purchasers of the app will be using?). I just have not got that far, but maybe it isn’t possible.

Of course I will now look at InstallGadget and maybe that will solve my problem.

Graham

> On 15 Jan 2017, at 18:06, Matthias Rebbe via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> Graham,
> 
> which installer are you using?
> 
> I am using tool from Monte called InstallGadget. This tool uses the free Innosetup under the hood and allows to create intallers by drag and drop.
> As this tools is quite old, i updated the Innosetup stuff inside the InstallGadget folder.
> 
> So in any case you are using an other installer than Innosetup, give Innosetup a try.
> 
> 
> Matthias Rebbe
> Bramkampsieke 13
> 32312 Lübbecke
> Tel	+49 5741 310000
>    	+49 160 5504462
> Fax: +49 5741 310002
> eMail: matthias at m-r-d.de <mailto:matthias at m-r-d.de>
> 
> BR5 Konverter - BR5 -> MP3 <http://matthiasrebbe.eu/portfolio/produkte/brx/>
>> Am 15.01.2017 um 17:39 schrieb Graham Samuel via use-livecode <use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>>:
>> 
>> Matthias, I took your advice. I don’t use tsnet so that wasn’t a difficulty for me. So what I did was to sign the standalone (this was Windows, so it was a .exe file), then create the installer and sign that. I used Ksign for these processes.
>> 
>> I then went through the process of downloading and running the installer and was disappointed to see a few warnings, both from Windows and from Norton, concerning the installer. Eventually I did the install and started the program itself, and Windows did report that it was from a trusted publisher.
>> 
>> Is this the best that I can get, or have I missed a step somewhere? Where I’m at at the moment, I think the process could still scare users.
>> 
>> If you’ve got time perhaps you can clarify this for me further - I’d be grateful.
>> 
>> TIA
>> 
>> Graham
>> 
>>> On 14 Jan 2017, at 23:04, Matthias Rebbe via use-livecode <use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>> wrote:
>>> 
>>> Graham,
>>> 
>>> first you have to sign the standalone with all externals. If you are using Ksign.exe then just add the folder,which contains the standalone and its subfolders, in Ksign.
>>> Please be aware that if your standalone make use of the tsNet external,then you have to change the file attributes of tsnet.dll to be writable before you codesign it. Otherwise Ksign.exe will not be able to sign the tsnet.dll.
>>> tsnet.dll by default is read only. At least if the Windows standalone is created  on Mac.
>>> 
>>> After you have signed the standalone and its externals create the installer and codesign that exe again. 
>>> 
>>> That´s how i am doing it.
>>> 
>>> Regards,
>>> 
>>> Matthias
>>> 
>>> 
>>> 
>>>> Am 14.01.2017 um 19:47 schrieb Graham Samuel via use-livecode <use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com> <mailto:use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>>>:
>>>> 
>>>> Having taken a lot of advice from this list and after a delay getting certificates, I’m about to do some actual code signing for an app that has a Windows and a Mac version. I am so unsure about the process that i don’t understand whether I apply the process (let’s say with Ksign for Windows) to the installer or the app itself.
>>>> 
>>>> In my case the installer installs additional files apart from the executable (all neatly packaged up in the Mac version of course, but separate in the Windows one). Since an installer is itself executable, I suppose starting an installer will generate those irritating warnings (yes, I know, they are for my users’ benefit, but still…) - on that basis, should the installer be signed? Or should I codesign everything, executables, additional files (these can be stacks, which are in some sense executable) and the installer too? I think the latter, but I’m not sure.
>>>> 
>>>> This must be blindingly obvious to everyone else, but it is not easy to get a simple answer from the internet. Of course I will just do it and see what happens, but I would be glad to understand what ‘normal practice’ might be.
>>>> 
>>>> Graham
>>>> _______________________________________________
>>>> use-livecode mailing list
>>>> use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com> <mailto:use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>>
>>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>>> http://lists.runrev.com/mailman/listinfo/use-livecode <http://lists.runrev.com/mailman/listinfo/use-livecode>
>>> 
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>
>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>> 
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list