问题
When I open my installer(that I created using NSIS), the UAC dialog appears with information about my installer. The field Publisher is 'unknown'. I've heard of digitally signing the application, do you know how to do this in NSIS?
How can I set the field/attribute Publisher to "My Installer" or some other text?
I think the following code is supposed to set the Publisher field but it doesn't, it still remains 'unknown':
InstallDir "abc"
Name "def"
OutFile "def.exe"
VIProductVersion "1.0.0.0"
VIAddVersionKey ProductName "def"
VIAddVersionKey Comments "MY DESCRIPTION"
VIAddVersionKey CompanyName "My Installer"
VIAddVersionKey LegalCopyright "MY COMPANYNAME"
VIAddVersionKey FileDescription "MY DESCRIPTION"
VIAddVersionKey FileVersion 1
VIAddVersionKey ProductVersion 1
VIAddVersionKey InternalName "def"
VIAddVersionKey LegalTrademarks "PTY LTD"
VIAddVersionKey OriginalFilename "def.exe"
Section
DetailPrint "Hello World"
SectionEnd
回答1:
You would have to Authenticode sign the installer with a certificate authority trusted by windows (If you want to be part of Winqual then you need a special certificate and MS only allows you to use VeriSign) because that field is extracted from the digital certificate (if one exists) and not from the PE version information.
To sign as part of the build process you can use this hack, or if you are using the Unicode fork then you can use the !finalize command.
回答2:
To give some more details about that command, these are the lines I have used with version NSIS 3.03 with the !finalize command.
Important: You will need to provide the codesign certificate password inside passwd.txt file placed in same directory as your certificate.pfx file.
!define PRODUCT_NAME "def"
!define PRODUCT_VERSION "1.0.0.0"
!define OutputFileName "def.exe"
Name "${PRODUCT_NAME} ${PRODUCT_VERSION}"
OutFile "${OutputFileName}"
InstallDir "abc"
ShowInstDetails show
!define /file OutFileSignPassword ".\CodeSign\passwd.txt"
!define OutFileSignCertificate ".\CodeSign\certificate.pfx"
!define OutFileSignSHA1 ".\CodeSign\signtool.exe sign /f ${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha1 /t http://timestamp.comodoca.com /v"
!define OutFileSignSHA256 ".\CodeSign\signtool.exe sign /f ${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha256 /tr http://timestamp.comodoca.com?td=sha256 /td sha256 /as /v"
!finalize "PING -n 1 127.0.0.1 >nul" # Delay Next Step to ensure File isn't locked by previous Process
!finalize "${OutFileSignSHA1} .\${OutputFileName}" # CodeSigning with SHA1/AuthentiCode
!finalize "PING -n 5 127.0.0.1 >nul" # Delay Next Step to ensure File isn't locked by previous Process
!finalize "${OutFileSignSHA256} .\${OutputFileName}" # CodeSigning with SHA256/RFC 3161
CRCCheck on
Section
DetailPrint "Hello World"
SectionEnd
After that you will be able to see an output similar to these lines:
The following certificate was selected:
Issued to: Your Company
Issued by: COMODO RSA Code Signing CA
Expires: Sun Mar 15 00:59:59 2020
SHA1 hash: 0A12223C465069798D940317273C4F56A9BCC6D9
Done Adding Additional Store
Successfully signed: .\def.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
回答3:
It seems to be important to sign the installer file with two signatures, as svcabre implemented it:
Using both sha1 algorithm on the one hand
"c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe"
sign /f "YourCertificateFileHere.pfx" /p YourPasswordHere
/fd sha1 /t http://timestamp.comodoca.com /v "YourInstallerFilePathHere"
and sha256 on the other hand
"c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe"
sign /f "YourCertificateFileHere.pfx" /p YourPasswordHere
/fd sha256 /tr http://timestamp.comodoca.com?td=sha256
/td sha256 /as /v "YourInstallerFilePathHere"
With this option, also windows 10 showed the certificate holder correctly.
来源:https://stackoverflow.com/questions/10581570/setting-the-uac-publisher-field-for-a-nsis-installer