8

Currently I generate an installer for a program using NSIS on a Linux machine. The NSIS binaries have been compiled for Ubuntu, and using the .nsi script presents no difficulties. However, the resulting setup.exe file is unsigned. This results in scary warnings for our users who download the installer via most common web browsers, as well as warnings from Windows itself when run.

We'd like to avoid these warnings, and unless I'm missing something, that requires using a Windows tool to sign the generated setup.exe file. Is there a way to do this on a non-Windows machine?

Unfortunately, each installer is unique (different files are bundled depending on the customer's request, and a unique ID included) so I cannot sign the installer on a Windows machine and then upload it.

Thorn G
  • 12,620
  • 2
  • 44
  • 56

3 Answers3

7

Your best choice is probably the use of: osslsigncode. Built easily for me (make sure to have the OpenSSL headers available). It may have difficulties with the kernel mode signing policy, though (embedding the parent certs up to the root) - so you may still have to resort to WINE in the end.

0xC0000022L
  • 20,597
  • 9
  • 86
  • 152
1

I had to do it a few weeks ago, without using wine. What I did was to import the pfx file to windows and then exported it with "Include all certificates in the certificate path if possible" option. then I followed the instruction on this page .

After you have all the certs (spc and pvk files) you should use the following command:

signcode -spc [spc file] -v [pvk file] -a sha1 -$ commercial -t http://timestamp.verisign.com/scripts/timstamp.dll -tr 10 [exe file to sign]

I had to install mono-dev pack: 

sudo apt-get install mono-devel
zenpoy
  • 19,490
  • 9
  • 60
  • 87
  • OpenSSL reports that `-pvk-strong` is an unknown option. I attempted omitting it, but I encounter an error when running `signcode`; it prompts for a passphrase. I assumed this would be the same one I used when exporting the certificate from Windows, but this does not work. Where am I going astray? – Thorn G Mar 05 '12 at 04:29
  • Turns out downloading the latest version of OpenSSL and building it got rid of that error. Dunno why Ubuntu doesn't have that in apt. :( – Thorn G Mar 05 '12 at 05:08
  • @Tom G: because they try to keep things stable. More so on the LTS release channel. Debian is even more conservative. – 0xC0000022L Apr 09 '12 at 00:14
0

Signing files for Windows uses Microsoft Authenticode signatures. There is a tool in the SDK that signs Executables and DLLs (signtool.exe). You might be able to run that using Wine.

It's also possible to sign files through Windows API calls - these functions might be implemented in Wine aswell, but I sort of doubt it because Authenticode is only used and implemented by Microsoft (as far as I know).

However this tool doesn't to very much - it basically appends the certificate and a signed timestamp at the end of the file. There might exist adaptations for Linux aswell.

Here is a link to someone who got it working using signcode.

Chris
  • 3,113
  • 26
  • 33