fix(bundler): sign DLLs

[thewh1teagle]

Fix #11673

Now it's signed after bundling:

Log:

Details

..\..\tauri\target\debug\cargo-tauri.exe bundle
    Signing D:\vibe\target\release\vibe.exe
    Signing D:\vibe\target\release\vibe.exe with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: D:\\vibe\\target\\release\\vibe.exe\r\r\n"
    Warn NSIS directory contains mis-hashed files. Redownloading them.
    Downloading https://github.com/tauri-apps/nsis-tauri-utils/releases/download/nsis_tauri_utils-v0.4.1/nsis_tauri_utils.dll
    Info validating hash
    Info Target: x64
    Info Signing NSIS plugins
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\NSISdl.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\NSISdl.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\NSISdl.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\StartMenu.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\StartMenu.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\StartMenu.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\System.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\System.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\System.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\nsDialogs.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-ansi\nsDialogs.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-ansi\\nsDialogs.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\NSISdl.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\NSISdl.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\NSISdl.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\StartMenu.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\StartMenu.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\StartMenu.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\System.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\System.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\System.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsDialogs.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsDialogs.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\nsDialogs.dll\r\r\n"
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsis_tauri_utils.dll
    Signing C:\Users\User\AppData\Local\tauri\NSIS\Plugins\x86-unicode\nsis_tauri_utils.dll with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: C:\\Users\\User\\AppData\\Local\\tauri\\NSIS\\Plugins\\x86-unicode\\nsis_tauri_utils.dll\r\r\n"
    Running makensis.exe to produce D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe
Done Adding Additional Store
Successfully signed: C:\Users\User\AppData\Local\Temp\nst3640.tmp
    Signing D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe
    Signing D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe with identity "45DCFF335BB538C58489BD03BF167D29DDA53110"
    Info "Done Adding Additional Store\r\nSuccessfully signed: D:\\vibe\\target\\release\\bundle/nsis/vibe_2.6.6_x64-setup.exe\r\r\n"
    Finished 1 bundle at:
        D:\vibe\target\release\bundle\nsis\vibe_2.6.6_x64-setup.exe

This can potentially fix some issues with #2486
Btw I recommend to everyone always sign the exe even with self signed certificate instead of publishing unsigned binaries that usually flagged immediately as a virus by Windows AVs

[github-actions]

Package Changes Through c3c091b

There are 8 changes which include @tauri-apps/api with minor, tauri with minor, tauri-cli with minor, @tauri-apps/cli with minor, tauri-utils with minor, tauri-bundler with minor, tauri-runtime with minor, tauri-runtime-wry with minor

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package	current	next
@tauri-apps/api	2.4.1	2.5.0
tauri-utils	2.3.1	2.4.0
tauri-bundler	2.3.1	2.4.0
tauri-runtime	2.5.1	2.6.0
tauri-runtime-wry	2.5.1	2.6.0
tauri-codegen	2.1.1	2.1.2
tauri-macros	2.1.1	2.1.2
tauri-plugin	2.1.1	2.1.2
tauri-build	2.1.1	2.1.2
tauri	2.4.1	2.5.0
@tauri-apps/cli	2.4.1	2.5.0
tauri-cli	2.4.1	2.5.0

Add another change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector

[amrbashir]

Could you also add a change file in .changes directory?

[thewh1teagle]

Updated

[thewh1teagle]

Just a reminder. I still get many false positive detections and I believe that should fix most of them. Hope you can merge it soon.

Update: that's what I do meanwhile:

# Import certificate
[IO.File]::WriteAllBytes('cert.pfx', [Convert]::FromBase64String($env:WINDOWS_CERTIFICATE))
Import-PfxCertificate -Exportable -FilePath "cert.pfx" -CertStoreLocation 'cert:\CurrentUser\My' -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)

# Sign resources
$signtoolPath = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\" -Filter "signtool.exe" -Recurse | Where-Object FullName -like "*\x64\signtool.exe" | Select-Object -First 1).FullName
&$signtoolPath sign /f cert.pfx /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 desktop\src-tauri\ffmpeg\bin\x64\*
# Sign nsis plugin DLLs
Get-ChildItem -Path "$env:LOCALAPPDATA\tauri\NSIS\Plugins" -Filter '*.dll' -Recurse | ForEach-Object { 
    &$signtoolPath sign /f cert.pfx /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName
}

[thewh1teagle]

I noticed now that caching won't work if we sign the plugin files

https://github.com/tauri-apps/tauri/blob/dev/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs#L88

It will redownlod them each time we bundle.
maybe we should cache them in directory derived from the URL

[amrbashir]

@thewh1teagle then we should copy them next to the generated installer.nsi and sign these copies instead.

[lucasfernog]

thank you!

[linguofeng]

#13341

[linguofeng]

...

[FabianLars]

you already identified the code so are you open to creating a PR as well?