fix(nsis): embed signed copies of stock plugins, not unsigned system DLLs

[koki-develop]

Summary

closes #14147

When an NSIS bundle is produced with signCommand configured, the stock plugin DLLs (NSISdl.dll, StartMenu.dll, System.dll, nsDialogs.dll) unpacked into $PLUGINSDIR at install time end up unsigned. PR #14627 made the sign step itself run, but the signed local copies were never embedded into the resulting setup.exe.

Root cause

When signCommand is enabled, the bundler copies the system NSIS plugins to <output>/Plugins/x86-unicode/ and signs them in place. However, installer.nsi only has an !addplugindir for the additional/ subdirectory — nothing points makensis at the directory holding the signed stock plugins. makensis therefore falls back to ${NSISDIR}/Plugins/<arch>/ and embeds the unsigned originals.

The signed local copies are never referenced by makensis, so the unsigned versions are what end up inside setup.exe.

Fix

• installer.nsi: between !include "StrFunc.nsh" and ${StrCase}, add an !addplugindir for the signed plugin directory (gated on signing being enabled)
• mod.rs: expose the matching signed_plugins_path template variable only when signing is enabled

Also: drop the NSISPLUGINS env line

Before launching makensis, mod.rs set nsis_cmd.env("NSISPLUGINS", plugins_path), but NSISPLUGINS is not an environment variable that NSIS recognizes. Grepping the entire NSIS-Dev/nsis source tree and running gh search code --owner NSIS-Dev 'NSISPLUGINS' both return zero hits — the line was a complete no-op.

The intent was presumably to communicate the local-copy plugin directory to makensis, but the proper route is now established by the !addplugindir change above, so this dead line is removed as well.

[Legend-Master]

#14147 (comment) seems like the signing failed not that they were not included?

[koki-develop-lot]

@Legend-Master Thanks for taking a look.

You're right that #14147 itself is an issue about signing failing, and that part was resolved by #14627.

What this PR is targeting is a separate problem that's left over: #14627 made the signing step itself succeed, but those signed copies aren't on makensis' plugin search path, so as a result makensis falls back to the unsigned originals and embeds those instead.

PR #14627 made the sign step itself run, but the signed local copies were never embedded into the resulting setup.exe.

#15422 (comment)

[github-actions]

Package Changes Through 8cf1e53

There are 1 changes which include tauri-bundler with patch

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package	current	next
tauri-bundler	2.9.2	2.9.3
@tauri-apps/cli	2.11.2	2.11.3
tauri-cli	2.11.2	2.11.3

Add another change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector

[Legend-Master]

cc @lucasfernog since you wrote the change to use this environment variable in 37b4ca1, I can't seem to find any references of NSISPLUGINS online 🤔

[koki-develop-lot]

I can't find any either - https://github.com/search?q=org%3ANSIS-Dev+%22NSISPLUGINS%22&type=code

[koki-develop]

Just leaving the verification steps here for reference (on macOS).

Extract the plugin DLLs from a setup.exe built with signing enabled, and check the signature status of each DLL.

# extract plugin DLLs from setup.exe
7z x setup.exe -oextracted

# verify each DLL
for dll in extracted/\$PLUGINSDIR/*.dll; do
  echo "=== $(basename "$dll") ==="
  osslsigncode verify "$dll" 2>&1 | head -2
  echo # blank line between entries
done

Output:

=== nsis_tauri_utils.dll ===
****************:error:********:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:297:Verify error: self-signed certificate in certificate chain
PE checksum   : 0000C602

=== nsDialogs.dll ===
No signature found
Unable to extract existing signature

=== NSISdl.dll ===
No signature found
Unable to extract existing signature

=== StartMenu.dll ===
No signature found
Unable to extract existing signature

=== System.dll ===
No signature found
Unable to extract existing signature

Only nsis_tauri_utils.dll, copied from additional/, has the signed copy embedded — the stock plugins are still the unsigned originals from the system NSIS toolset.

(NOTE: the verify error: self-signed certificate in certificate chain on nsis_tauri_utils.dll just means macOS's local CA store doesn't include the root CA — the signature itself is present.)

[Legend-Master]

Awesome work, thanks! Really appreciate the detailed answers!

Just a bit of nitpicks and we can merge this one

[Legend-Master]

Thanks!