PDA

View Full Version : What happens when I code-sign an installation?



David Webber
06-22-2007, 03:47 AM
I have a couple of .sb6 projects:

a) a full installation of my software which installs a .exe and a few .dll files and assorted other stuff.

b) a service pack installer which patches the .exe and some of the .dlls and replaces others (which are less security-crucial)

I am planning to apply the code signature in both.

Question: does this change my own executable which is being installed, or does it change the installer program. [The information must be stored somewhere.]

If it changes my own program, how can I ensure that future patches will recognise the .exe as being a valid one which can be patched?

Dave

linder
06-22-2007, 04:03 AM
Dave,

If you use code-signing in your application, then this will change the binary contents of your application.

If you would like to use the built-in SetupBuilder feature to bulk code-sign your applications, I would suggest to use a "dummy" project to handle this. Just create a "dummy" project using File | New | Blank Script... and use the "#code-sign application" compiler function to code-sign all required application files. Please ENABLE the "Permanent" option.

Do not use the "#code-sign application" function in your main script in this case!

Then, when you are ready to build a new installation, compile the "dummy" project first. This will code-sign all defined applications (permanently). Of course, you can also use the Microsoft tools to handle this! Make sure, the files are not already code-signed from a previous compile. Otherwise, the Microsoft Authenticode code-signing tools will fail.

The resulting modified files are the valid "previous" files if you build the next patch update.

Does this help?

Friedrich

David Webber
06-22-2007, 04:45 AM
Yes thanks, that helps a lot.

I already have a batch file which copies my .exe and .dll files from the folder where Visual Studio creates them, to the folder where they're included in the SetupBuilder installer-creation project.

If I can create a new stand-alone, code-signing project with SetupBuilder and use it from the command line, I can modify my batch file so it

copies the files across
signs the apporpriate ones

I'll explore using SB6 from the command line - I think I read that it was possible?

Dave

linder
06-22-2007, 04:49 AM
Hi Dave,

Yes, absolutely no problem. SetupBuilder provides a command line compiler.

And there are even compiler functions to copy files during the compile (so no need to use a batch file to handle this part).

If there are any further questions, just ask :)

Friedrich

David Webber
06-22-2007, 05:13 AM
Ok I'll explore this.

But for now, just let me just check:

I have created the stand-alone code-signer project. It has one statement - a compiler directive to sign the existing .exe file.

This indeed happens! Magic! [When I look (using "properties" in Windows Explorer after compiling this project), I can see the signature in my .exe file.]

Am I right in thinking that the actual exe file which the SB6 compilation produces, is completely surplus to requirements in this case (as everything I want to happen, happens through the act of compiling)?

Dave

linder
06-22-2007, 05:20 AM
Dave,

Sorry, forgot to mention this.

Yes, the "dummy" project compiles an application. It's even a fully functional installer application that does not include any file. But you don't need this .exe.

Just add the following "#delete file..." compiler function and the compiler will automatically remove it:

#delete file "[OUTPUTDIR]\[EXENAME]" [Post-compile]

What do you think?

Friedrich

David Webber
06-22-2007, 06:00 AM
Dave,

Sorry, forgot to mention this.

Yes, the "dummy" project compiles an application. It's even a fully functional installer application that does not include any file. But you don't need this .exe.

Just add the following "#delete file..." compiler function and the compiler will automatically remove it:

#delete file "[OUTPUTDIR]\[EXENAME]" [Post-compile]

What do you think?

Friedrich

Great! - I had thought of doing that but wasn't sure it would be safe. Compiling something and telling the compiler to delete the compilation feels a little surreal (but I'm a great fan of surrealism) :-)

Changing the subject slightly:

I now have my files-to-be-installed (the EXE and a whole gaggle of DLLs) all code signed by compiling the stand-alone project which I will prevent from giving me an exe as above.

But going back to my original installer - the proper one which installs all these code-signed files - presumeably I can code-sign the installer itself by codesigning its [OUTPUTDIR]\[EXENAME] (post-compile)?

Dave

linder
06-22-2007, 06:18 AM
Hi Dave,

Don't use [OUTPUTDIR]\[EXENAME] in your "real" installer :) Just in the "dummy" project.

Please use "General Information" -> "Digital Signature" to sign your installer. This will also code-sign the uninstall (important for Vista and Windows Server 2008 machines).

Does this help?

Friedrich

David Webber
06-22-2007, 06:29 AM
Brilliant! Thank you.

David Webber
06-24-2007, 03:35 AM
Just a coda:

I have a batch file which copies my .exe and lots .dlls from the Visual Studio folder where they are compiled, to a folder used by setupbuilder to create the installer.

I have appended to the batch file a line of the form

start /wait sbuilder.exe /c %projdir%\codesign10.sb6

where codesign10.sb6 is the project referred to above which just code-signs the copied files when it compiles and produces no installer.

They are now all ready to be used by the SB6 installer project proper.

This works a treat - I just wanted to say how impressed I am (oh yes, and to use the icon to say how "cool" this is) :-)

Dave

linder
06-24-2007, 08:47 AM
Dave,

Thank you so much for the good news and your kind words :) This is music to my ears ;)

BTW, we have added a new "#get file information" compiler directive now. This will be available in the soon coming next build.

Thanks again,
Friedrich