Compression interferes w/ Code Signing
We are new users of NSIS. We resisted switching from the builder included w/ Visual Studio for years – and now are left to wonder what took us so long to switch. NSIS is a fantastic Installation Builder! It took some time to learn our way around, but this system is proving itself to be a real winner.
We’ve encountered one MINOR issue. It’s could be our lack of familiarity with NSIS – but after studying the FAQ, the Forums & the Docs, we’re left wondering how others might have solved the issue.
Summary: We are unable to effectively Sign a Build & use Compression.
Details:
We’ve added a call to the Microsoft ‘signtool.exe’ as the very last statement of setup.nsi.
For example:
!system signtool.exe (parameters omitted) setup.exe
We’ve confirmed that this step executes as expected. But it would appear that the compression (selected with the ‘SelectCompressor’ directive) always runs as the last step of any compile. This makes sense of course as it ensures the highest compression – but by altering the Build AFTER it has been signed, the signature is no longer is valid.
What We Tried:
We checked around the various plug-ins, but none would seem to directly address this issue. We got excited when we saw the PostExec.nsh plugin (http://nsis.sourceforge.net/Run_Comm...er_Compilation), but it suffers from the same behavior describe above – that compression still runs as the last step of any compile.
We use the EclipseNSIS environment for generating our builds, so we thought perhaps it might be useful to explore what options the Eclipse IDE offered to address this. When the EclipeNSIS environment does have options for steps-before-compilation, it does not have options for steps-after-compilation. We thought of trying to alter the EclipseNSIS code to add this option – but realized this was not the best solution. It would mean always having todo the build from within Eclipse – which is not our regular coding environment.
Question:
So our question is simple. Is there a way to control WHEN compression happens in the build cycle? Or, is there a way to run a step AFTER the compression happens?
Of course we could just turn off compression – but we’d loose the benefit of a cool NSIS feature, and that would be sad. :(
Workarounds:
Of course we can just roll up a call to the signing tool in a batch file that 1st performs the compile, then signs the build (which is what we are now doing) – but we wanted to post to the forum to see if others might have a more elegant solution. Feel free to suggest RTFM – but if one could point us to the appropriate ‘M’ we’d appreciate it :D
Considering the tremendous number of problems we’ve now solved with this exceptional tool – we consider this a minor issue. But just wanted to check in.