search

wailsapp / wails

Create beautiful applications using Go
https://wails.io
MIT License
25.49k stars 1.23k forks source link

Windows NSIS option not signing app binary #3716

Open sstojak1 opened 2 months ago

sstojak1 commented 2 months ago

Description

When I build a Wails app using the -nsis option, Wails signs the installer and uninstaller binaries, but not the other binaries (like my app). Is that expected?

To sign the uninstaller and installer, I use !uninstfinalize and !finalize like stated in the project.nsi but I'm unable to sign the app binary itself.

To Reproduce

  1. Run wails build -platform windows/amd64 -nsis --clean
  2. Install the app
  3. Verify that the app that landed in your program files is not signed

Expected behaviour

To have a signed app binary

Screenshots

No response

Attempted Fixes

No response

System Details

# Wails
Version | v2.9.1

# System
┌────────────────────────────────────────────────────────────────────────────────────────┐
| OS           | Windows 10 Enterprise                                                   |
| Version      | 2009 (Build: 22631)                                                     |
| ID           | 23H2                                                                    |
| Go Version   | go1.23.0                                                                |
| Platform     | windows                                                                 |
| Architecture | amd64                                                                   |
| CPU 1        | AMD EPYC 7502 32-Core Processor                                         |
| CPU 2        | AMD EPYC 7502 32-Core Processor                                         |
| CPU 3        | AMD EPYC 7502 32-Core Processor                                         |
| GPU 1        | VMware Horizon Indirect Display Driver (VMware, Inc.) - Driver: 1.9.1.0 |
| GPU 2        | VMware SVGA 3D (VMware, Inc.) - Driver: 9.17.6.5                        |
| Memory       | 16GB                                                                    |
└────────────────────────────────────────────────────────────────────────────────────────┘

# Dependencies
┌───────────────────────────────────────────────────────┐
| Dependency | Package Name | Status    | Version       |
| WebView2   | N/A          | Installed | 128.0.2739.42 |
| Nodejs     | N/A          | Installed | 20.17.0       |
| npm        | N/A          | Installed | 10.8.2        |
| *upx       | N/A          | Available |               |
| *nsis      | N/A          | Installed | v3.10         |
└─────────────── * - Optional Dependency ───────────────┘

# Diagnosis
Optional package(s) installation details:
  - upx : Available at https://upx.github.io/

SUCCESS  Your system is ready for Wails development!

♥   If Wails is useful to you or your company, please consider sponsoring the project:

Additional context

No response

sstojak1 commented 2 months ago

What helped me is that I added the following in the generated project.nsi file: !system 'signtool --file "..\..\bin\${INFO_PROJECTNAME}.exe"'

I placed this command just before the OutFile "..\..\bin\${INFO_PROJECTNAME}-${ARCH}-installer.exe" line is executed. Does this approach seem valid?

Given that both !uninstfinalize and !finalize are currently commented out, should we also consider commenting out the proposed signing step for the app binary?

oliexe commented 2 months ago

Bumping this. Really important for prod apps.