How can I sign the files using NSIS?

Question

How can I sign the files using NSIS?

We changed WIX installer to NSIS.

Earlier in the WIX installer it was used like as shown below in the .xml file to sign the files.

<property name="FileSigningDrive" location="${env.FILE_SIGNING}"/>

        <!--echo message="Signing Setup.exe ....." />
        <exec dir="${FileSigningDrive}\" 
              executable="${FileSigningDrive}\signcode.exe" failonerror="true">
          <arg value='-spc' />
          <arg value='mycredentials.spc' />
          <arg value='-v' />
          <arg value='testkey.pvk' />
          <arg value='-t' />
          <arg value='http://timestamp.verisign.com/scripts/timpstamp.dll' />
          <arg value='"${install}\RootCDDir\setup.exe"'  />
        </exec-->

Similarly, how to sign the files in NSIS?

Answer 1

You can sign the installer by executing a command of your choice with !finalize :

!finalize 'signcode -t http://example.com/timestamp "%1"' = 0 ; %1 is replaced by the install exe to be signed.

Signing the uninstaller is a bit annoying and requires you to generate the uninstaller and then signing it .

Answer 2

This is an update to @Anders answer.

From v3.08, you can straight away use !uninstfinalize to sign the uninstaller.

So now you can write your code like this.

!finalize 'signcode -t http://example.com/timestamp "%1"' = 0 ; %1 is replaced by the install exe to be signed.
!uninstfinalize 'signcode -t http://example.com/timestamp "%1"' = 0 ; %1 is replaced by the uninstaller exe to be signed.

Keep in mind that you must append = 0 at !finalize and !uninstfinalize . That will stop running both in parallel. Otherwise, the signtool.exe will fail because it can't run in parallel.