search

tauri-apps / tauri

Build smaller, faster, and more secure desktop and mobile applications with a web frontend.
https://tauri.app
Apache License 2.0
85.38k stars 2.58k forks source link

[bug] nsis plugins aren't signed #11673

Open thewh1teagle opened 1 week ago

thewh1teagle commented 1 week ago

Describe the bug

Nsis plugins inside nsis installer aren't signed with code signing though I enabled code signing. The app was signed, the DLLs and the installer. but the DLLs inside $PLUGINSDIR are not signed. as a result AVs flag them as virus immediately.

Reproduction

Download sigcheckGUI https://www.majorgeeks.com/mg/getmirror/sigcheckgui,1.html Download https://github.com/thewh1teagle/vibe/releases/download/v2.6.6/vibe_2.6.6_x64-setup.exe Extract the app with 7zip and check the signatures of the files

Expected behavior

It should be signed by my certificate or by yours (official?)

Full tauri info output

https://github.com/thewh1teagle/vibe
https://github.com/thewh1teagle/vibe/commit/ff020aef26235169541a1ffcea9c0157e8df4311

[βœ”] Environment
    - node: 20.15.1
    - pnpm: 9.10.0
    - yarn: 1.22.22
    - npm: 10.7.0
    - bun: 1.1.18

[-] Packages
    - tauri πŸ¦€: 2.1.0
    - tauri-build πŸ¦€: 2.0.3
    - wry πŸ¦€: 0.47.0
    - tao πŸ¦€: 0.30.6
    - @tauri-apps/api : 2.1.0 (outdated, latest: 2.1.1)
    - @tauri-apps/cli : 2.1.0

[-] Plugins
    - tauri-plugin-updater πŸ¦€: 2.0.2
    - @tauri-apps/plugin-updater : 2.0.0
    - tauri-plugin-shell πŸ¦€: 2.0.2
    - @tauri-apps/plugin-shell : 2.0.1
    - tauri-plugin-store πŸ¦€: 2.1.0
    - @tauri-apps/plugin-store : 2.1.0
    - tauri-plugin-process πŸ¦€: 2.0.1
    - @tauri-apps/plugin-process : 2.0.0
    - tauri-plugin-window-state πŸ¦€: 2.0.2
    - @tauri-apps/plugin-window-state : 2.0.0
    - tauri-plugin-deep-link πŸ¦€: 2.0.1
    - @tauri-apps/plugin-deep-link : 2.0.0
    - tauri-plugin-fs πŸ¦€: 2.0.3
    - @tauri-apps/plugin-fs : 2.0.2
    - tauri-plugin-single-instance πŸ¦€: 2.0.1
    - @tauri-apps/plugin-single-instance : not installed!
    - tauri-plugin-os πŸ¦€: 2.0.1
    - @tauri-apps/plugin-os : 2.0.0
    - tauri-plugin-http πŸ¦€: 2.0.3
    - @tauri-apps/plugin-http : 2.0.0 (outdated, latest: 2.0.1)
    - tauri-plugin-dialog πŸ¦€: 2.0.3
    - @tauri-apps/plugin-dialog : 2.0.1

[-] App
    - build-type: bundle
    - CSP: unset
    - frontendDist: ../dist
    - devUrl: http://localhost:1420/
    - framework: React
    - bundler: Vite

Stack trace

No response

Additional context

I noticed that virustotal flag the nsis plugins as a virus. By the way signing with self signed certificate is better than unsigned! now windows defender didn't blocked it and virus total has less false positives

https://code.videolan.org/videolan/vlc/-/issues/27469