search

cryptomator / cryptomator-win

Cryptomator .exe installer for Windows
GNU General Public License v3.0
21 stars 12 forks source link

Sign binaries before packaging the installer #5

Closed overheadhunter closed 6 years ago

overheadhunter commented 7 years ago

Currently only the installer is signed. We want to sign every binary during installer creation.

overheadhunter commented 7 years ago

  1. add to iss file:

    [Setup]
SignTool=default sign /sha1 BAF9137F110811A5251BEB9BD6A929C2CC73E19C /tr http://timestamp.comodoca.com /v /fd sha256 $f

  2. replace all javafx variables in the .iss file

  3. change ant task inside pom.xml to only create the install dir:

<fx:deploy nativeBundles="image" ...>

  1. add new ant task to:

    • copy files (full-license.rtf, setup-icon.bmp) to output dir
    • cd to output dir
    • invoke iscc.exe foo.iss "/Sdefault=signtool $p"

  2. write rage post why Inno Setup forces the user to add the /S param...

jasperweiss commented 6 years ago

Can I just point out that installed binaries still aren't signed?

overheadhunter commented 6 years ago

We found out, that only the uninstaller got signed. We added code signing to Cryptomator.exe in Commit bfcb233 on 2017-11-29. One day after the release of 1.3.3. 🙈

Should be correct in the next version.