Setting the UAC 'Publisher' Field for a NSIS Installer

To give some more details about that command, these are the lines I have used with version NSIS 3.03 with the !finalize command.

Important: You will need to provide the codesign certificate password inside passwd.txt file placed in same directory as your certificate.pfx file.

!define PRODUCT_NAME "def"
!define PRODUCT_VERSION "1.0.0.0"
!define OutputFileName "def.exe"

Name "${PRODUCT_NAME} ${PRODUCT_VERSION}"
OutFile "${OutputFileName}"
InstallDir "abc"
ShowInstDetails show

!define /file OutFileSignPassword ".\CodeSign\passwd.txt"
!define OutFileSignCertificate ".\CodeSign\certificate.pfx"
!define OutFileSignSHA1   ".\CodeSign\signtool.exe sign /f ${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha1   /t  http://timestamp.comodoca.com /v" 
!define OutFileSignSHA256 ".\CodeSign\signtool.exe sign /f ${OutFileSignCertificate} /p ${OutFileSignPassword} /fd sha256 /tr http://timestamp.comodoca.com?td=sha256 /td sha256 /as /v" 

!finalize "PING -n 1 127.0.0.1 >nul"                                # Delay Next Step to ensure File isn't locked by previous Process 
!finalize "${OutFileSignSHA1} .\${OutputFileName}"                  # CodeSigning with SHA1/AuthentiCode 
!finalize "PING -n 5 127.0.0.1 >nul"                                # Delay Next Step to ensure File isn't locked by previous Process 
!finalize "${OutFileSignSHA256} .\${OutputFileName}"                # CodeSigning with SHA256/RFC 3161  

CRCCheck on

Section
    DetailPrint "Hello World"
SectionEnd

After that you will be able to see an output similar to these lines:

The following certificate was selected:
    Issued to: Your Company
    Issued by: COMODO RSA Code Signing CA
    Expires:   Sun Mar 15 00:59:59 2020
    SHA1 hash: 0A12223C465069798D940317273C4F56A9BCC6D9

Done Adding Additional Store
Successfully signed: .\def.exe

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

It seems to be important to sign the installer file with two signatures, as svcabre implemented it:

Using both sha1 algorithm on the one hand

"c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe"
sign /f "YourCertificateFileHere.pfx" /p YourPasswordHere 
/fd sha1 /t http://timestamp.comodoca.com /v "YourInstallerFilePathHere"

and sha256 on the other hand

"c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" 
sign /f "YourCertificateFileHere.pfx" /p YourPasswordHere 
/fd sha256 /tr http://timestamp.comodoca.com?td=sha256 
/td sha256 /as /v "YourInstallerFilePathHere"

With this option, also windows 10 showed the certificate holder correctly.


You would have to Authenticode sign the installer with a certificate authority trusted by Windows (If you want to be part of Winqual then you need a special certificate and MS only allows you to use VeriSign) because that field is extracted from the digital certificate (if one exists) and not from the PE version information.

To sign as part of the build process you can use this hack, or if you are using NSIS v3 then you can use the !finalize command.

Tags:

Uac

Nsis