Recent

Author Topic: Is the inno setup installer code signed?  (Read 3768 times)

Andyk

  • Jr. Member
  • **
  • Posts: 72
Is the inno setup installer code signed?
« on: November 21, 2023, 10:08:01 am »
As per the title, also is the inno script source available?

marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 11732
  • FPC developer.
Re: Is the inno setup installer code signed?
« Reply #1 on: November 21, 2023, 11:12:16 am »
Afaik not signed, but the .iss source is in the fpcbuild repo, and some instructions are in the release engineering topic in the wiki.

Andyk

  • Jr. Member
  • **
  • Posts: 72
Re: Is the inno setup installer code signed?
« Reply #2 on: November 21, 2023, 11:47:02 am »
I've had a good root around the various repositories and not found anything.

I was just wondering how the setup managed to avoid UAC on windows.

Looks like they set privilegesrequired to lowest but the installer in that case should be using program files in the users profile {Autopf} and not putting the code in C:\lazarus.

Also the installer tries to put some files in windows\system32 which will not work without admin rights.




marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 11732
  • FPC developer.
Re: Is the inno setup installer code signed?
« Reply #3 on: November 21, 2023, 12:12:57 pm »
Ok, my answer was for the FPC installer, not the lazarus one :-)


But the iss files for lazarus are in tools\install\win\*.iss and contains

Quote
; PrivilegesRequired=none means no-setting or default => admin needed
PrivilegesRequired=none

Program files is not read/write and some of the mingw and debugger tools don't function well with paths with spaces in them.

I see QT and openssl options storing to {sys} are those the files that you see into c:\windows?
« Last Edit: November 21, 2023, 12:16:51 pm by marcov »

Andyk

  • Jr. Member
  • **
  • Posts: 72
Re: Is the inno setup installer code signed?
« Reply #4 on: November 21, 2023, 12:37:46 pm »
Program files directory for single user is in user profile....

C:\Users\UserName\AppData\Local\Programs


This is the default directory used when {Autopf} is used in the setup script and no admin is required.

marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 11732
  • FPC developer.
Re: Is the inno setup installer code signed?
« Reply #5 on: November 21, 2023, 01:34:13 pm »
All folders there are read-only, and that could cause problems with updating. But give it a go and see if it works and you can rebuild the IDE.

(besides the fact that such directories are annoying and confusing since the path is c:\users on the cmdline, while in the windows explorer localizes the dir and hides the original)


Andyk

  • Jr. Member
  • **
  • Posts: 72
Re: Is the inno setup installer code signed?
« Reply #6 on: November 21, 2023, 02:27:46 pm »
The folders are not read only, that is where user installed programs are supposed to go.

If you install programs from the microsoft store, thats where they go.

Open source programs like Python, Gimp, GNU Octave all install in the user profile.

marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 11732
  • FPC developer.
Re: Is the inno setup installer code signed?
« Reply #7 on: November 21, 2023, 03:20:35 pm »
The folders are not read only, that is where user installed programs are supposed to go.

I looked on two fairly fresh machines with win11, and all those dirs are readonly.

Quote
If you install programs from the microsoft store, thats where they go.

Such is pushed by MS since late XP times and stronger, Vista times. But that is not the question.

"Will it work in Lazarus' special case? "  is the question.

Quote
Open source programs like Python, Gimp, GNU Octave all install in the user profile.

Do they require read/write access there to compile? Do they separate read-only from read/write content? And the bit with the legacy binutils and gdb not dealing with spaces in the path. (*)

(*) iirc windres is one of the worst offenders there, and the next FPC release circle will start with substituting with fpcres as much as possible instead.

« Last Edit: November 21, 2023, 04:14:11 pm by marcov »

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 10261
  • Debugger - SynEdit - and more
    • wiki
Re: Is the inno setup installer code signed?
« Reply #8 on: November 21, 2023, 04:09:53 pm »
No, the lazarus inno installer is not code-signed (unfortunately)....

We had the discussion various times. Everyone agrees it should be. (And apparently the money would also be available to get the cert).

But then someone needs to do the work, and make it happen. And no one does.

Mind, that "do the work" would also mean to find out how/if the Mac installer could get signed (not sure about Linux either). And if that could be done with one cert (or at least all certs provided from one source).

Then the person(s) (probably several) signing, and the person ordering the cert will be different.
If signing means the need of some hardware then that can be shipped. But if the cert is bound to exactly one hardware token, it may be a problem because different people may do the signing...

Andyk

  • Jr. Member
  • **
  • Posts: 72
Re: Is the inno setup installer code signed?
« Reply #9 on: December 13, 2023, 11:51:41 am »
The folders are not read only, that is where user installed programs are supposed to go.

I looked on two fairly fresh machines with win11, and all those dirs are readonly.

Quote
If you install programs from the microsoft store, thats where they go.

Such is pushed by MS since late XP times and stronger, Vista times. But that is not the question.

"Will it work in Lazarus' special case? "  is the question.

Quote
Open source programs like Python, Gimp, GNU Octave all install in the user profile.

Do they require read/write access there to compile? Do they separate read-only from read/write content? And the bit with the legacy binutils and gdb not dealing with spaces in the path. (*)

(*) iirc windres is one of the worst offenders there, and the next FPC release circle will start with substituting with fpcres as much as possible instead.

I have a brand new Win11 laptop for work which I do not have admin rights.

I successfully installed Lazarus in to my user profile and it all works.

This means the installer could be changed to use {autopf}.
« Last Edit: December 13, 2023, 12:53:48 pm by Andyk »

Thaddy

  • Hero Member
  • *****
  • Posts: 15555
  • Censorship about opinions does not belong here.
Re: Is the inno setup installer code signed?
« Reply #10 on: December 13, 2023, 01:04:07 pm »
No, the lazarus inno installer is not code-signed (unfortunately)....
Assuming Windows here:
True, but there are issues: I have a code sign certificate, renewed when due, but due to rights issues ( on paper, not tight to machine(s) , that is a misconception) it would mean that every single binary and code has to be verified by me, me signing it and send the binary back.
That is pretty much undoable for one person: Every time somebody changes his code even by one byte or flag I have to do this all over again. But on request I signed some binaries a couple of years ago. In the mean time these binaries changed and I did NOT get full access to the code, which means I can no longer have responsibilty and therefor the author lost his capability to sign through me.
That  made me abandon code signing for others too.
The signing itself is not difficult, but once you sign it is your legally valid autograph. People tend to forget that.

Note that a signed binary is signed forever, but you have to renew the certificate to sign every once in a while.

The only piece of software for I would make an exception is a piece of software written and maintained by a bunch of mostly 50+ year olds. (i.e. FPC itself) but I would probably donate the cost of a signing certificate, once.
That is because with signing comes a whole host of responsabilities.
« Last Edit: December 13, 2023, 01:37:38 pm by Thaddy »
If I smell bad code it usually is bad code and that includes my own code.

Andyk

  • Jr. Member
  • **
  • Posts: 72
Re: Is the inno setup installer code signed?
« Reply #11 on: December 13, 2023, 01:28:06 pm »
I've had a look at the .iss file

The following lines need changing

DefaultDirName={autopf}\Lazarus

PrivilegesRequired=lowest  (currently set to none....which is not a valid option)

All the HKLM registry settings can be deleted and all the HKCU tags should be changed to HKA

I think that's it.

Thaddy

  • Hero Member
  • *****
  • Posts: 15555
  • Censorship about opinions does not belong here.
Re: Is the inno setup installer code signed?
« Reply #12 on: December 13, 2023, 01:43:52 pm »
That probably works but is not equivalent to code signed binaries.
BTW the code for innosetup is open source. Jordan, the main author, always kept it open source since the late 90's.
« Last Edit: December 13, 2023, 01:48:27 pm by Thaddy »
If I smell bad code it usually is bad code and that includes my own code.

Martin_fr

  • Administrator
  • Hero Member
  • *
  • Posts: 10261
  • Debugger - SynEdit - and more
    • wiki
Re: Is the inno setup installer code signed?
« Reply #13 on: December 13, 2023, 02:06:01 pm »
There are a few consideration going into how the installer is build.

1) The 32 bit installer can install the QT[45]Pas into the system folder. To do so, it needs admin. (Not sure if there will be a QT[45]Pas.dll for 64 bit)
2) The 64 bit installer used to offer that for ssl libraries, but they are now downloaded, if required (OPM).
3) As it stands, we still support WinXP, which limits Inno setup to version 5.6

Eventually something will have to be changed...

msintle

  • Full Member
  • ***
  • Posts: 133
Re: Is the inno setup installer code signed?
« Reply #14 on: December 14, 2023, 12:39:39 pm »
Eventually something will have to be changed...

InstallAware Multi Platform is offering free licenses to open source projects. Might be worth looking into - single source builds for macOS, Linux, and Windows - plus, built with Lazarus itself!

 

TinyPortal © 2005-2018