Security enhancement: Sign uninstall.exe

Fix #4120, fix #5806, fix #4443, close #14087
2023-09-03 13:14:52 +05:30 · 2023-09-03 13:14:52 +05:30 · 4476432d0b
parent 06a2c6f377
commit 4476432d0b
3 changed files with 23 additions and 8 deletions
--- a/PowerEditor/installer/nppSetup.nsi
+++ b/PowerEditor/installer/nppSetup.nsi
@ -43,6 +43,10 @@ OutFile ".\build\npp.${APPVERSION}.Installer.arm64.exe"
 OutFile ".\build\npp.${APPVERSION}.Installer.exe"
 !endif

+; Sign both installer and uninstaller
+!finalize        'sign-installers.bat "%1"' = 0     ; %1 is replaced by the installer exe to be signed.
+!uninstfinalize  'sign-installers.bat "%1"' = 0     ; %1 is replaced by the uninstaller exe to be signed.
+
 ; ------------------------------------------------------------------------
 ; Version Information
   VIProductVersion	"${Version}"
--- a/PowerEditor/installer/packageAll.bat
+++ b/PowerEditor/installer/packageAll.bat
@ -542,14 +542,6 @@ ren npp.portable.minimalist.7z !7zvarMin!
 ren npp.portable.minimalist.x64.7z !7zvarMin64!
 ren npp.portable.minimalist.arm64.7z !7zvarMinArm64!

-if %SIGN% == 0 goto NoSignInstaller
-%signBinary% !nppInstallerVar!
-If ErrorLevel 1 goto End
-%signBinary% !nppInstallerVar64!
-If ErrorLevel 1 goto End
-%signArmBinary% !nppInstallerVarArm64!
-If ErrorLevel 1 goto End
-:NoSignInstaller

 cd ..

--- a/PowerEditor/installer/sign-installers.bat
+++ b/PowerEditor/installer/sign-installers.bat
@ -0,0 +1,19 @@
+@ECHO OFF
+
+if [%SIGN%] == [] goto NoSignInstaller
+if not %SIGN% == 1 goto NoSignInstaller
+
+ECHO Start signing file: %1
+%signBinary% "%1"
+
+if errorlevel 1 goto SigningFailed
+goto SigningOK
+
+:SigningFailed
+echo Failed to sign file %1
+exit 1
+
+:NoSignInstaller
+ECHO Signing skipped for file: %1
+
+:SigningOK