wails icon indicating copy to clipboard operation
wails copied to clipboard
verified publisher icon wailsapp

Windows NSIS option not signing app binary

Open sstojak1 opened this issue 1 year ago • 2 comments

Description

When I build a Wails app using the -nsis option, Wails signs the installer and uninstaller binaries, but not the other binaries (like my app). Is that expected?

To sign the uninstaller and installer, I use !uninstfinalize and !finalize like stated in the project.nsi but I'm unable to sign the app binary itself.

To Reproduce

  1. Run wails build -platform windows/amd64 -nsis --clean
  2. Install the app
  3. Verify that the app that landed in your program files is not signed

Expected behaviour

To have a signed app binary

Screenshots

No response

Attempted Fixes

No response

System Details

# Wails
Version | v2.9.1

# System
┌────────────────────────────────────────────────────────────────────────────────────────┐
| OS           | Windows 10 Enterprise                                                   |
| Version      | 2009 (Build: 22631)                                                     |
| ID           | 23H2                                                                    |
| Go Version   | go1.23.0                                                                |
| Platform     | windows                                                                 |
| Architecture | amd64                                                                   |
| CPU 1        | AMD EPYC 7502 32-Core Processor                                         |
| CPU 2        | AMD EPYC 7502 32-Core Processor                                         |
| CPU 3        | AMD EPYC 7502 32-Core Processor                                         |
| GPU 1        | VMware Horizon Indirect Display Driver (VMware, Inc.) - Driver: 1.9.1.0 |
| GPU 2        | VMware SVGA 3D (VMware, Inc.) - Driver: 9.17.6.5                        |
| Memory       | 16GB                                                                    |
└────────────────────────────────────────────────────────────────────────────────────────┘
 
# Dependencies
┌───────────────────────────────────────────────────────┐
| Dependency | Package Name | Status    | Version       |
| WebView2   | N/A          | Installed | 128.0.2739.42 |
| Nodejs     | N/A          | Installed | 20.17.0       |
| npm        | N/A          | Installed | 10.8.2        |
| *upx       | N/A          | Available |               |
| *nsis      | N/A          | Installed | v3.10         |
└─────────────── * - Optional Dependency ───────────────┘
 
# Diagnosis
Optional package(s) installation details:
  - upx : Available at https://upx.github.io/
 
SUCCESS  Your system is ready for Wails development!
 
♥   If Wails is useful to you or your company, please consider sponsoring the project:

Additional context

No response

sstojak1 avatar Aug 29 '24 20:08 sstojak1

What helped me is that I added the following in the generated project.nsi file: !system 'signtool --file "..\..\bin\${INFO_PROJECTNAME}.exe"'

I placed this command just before the OutFile "..\..\bin\${INFO_PROJECTNAME}-${ARCH}-installer.exe" line is executed. Does this approach seem valid?

Given that both !uninstfinalize and !finalize are currently commented out, should we also consider commenting out the proposed signing step for the app binary?

sstojak1 avatar Aug 29 '24 20:08 sstojak1

Bumping this. Really important for prod apps.

oliexe avatar Sep 25 '24 12:09 oliexe