Comments on jpackage (JEP 343)

Sverre Moe sverre.moe at gmail.com
Wed Oct 2 13:41:38 UTC 2019


ons. 25. sep. 2019 kl. 15:45 skrev Sverre Moe <sverre.moe at gmail.com>:

> I have some new comments regarding the Windows build of jpackage.
>
> 1)
> Is there any way to build an trusted application installer using WiX?
> I want to avoid "Unknown Publisher" when installing the application.
> Also having problems with Windows Defender SmartScreen, depending on what
> settings the user has (Block, Warn, Off).
> If Block, the user cannot install the application. If Warn, the user can
> click "More info", then "Run anyway".
>
>>
>>
I have looked into this. It can be done with using tools like insignia [1]
and signtool [2].

It can be done after the MSI has been built by jpackage using the tool
SignTool from the Microsoft SDK.
I successfully managed to sign the MSI and EXE built by jpackage:
> $ /cygdrive/c/Program\ Files\ \(x86\)/Windows\
Kits/10/bin/10.0.18362.0/x64/signtool.exe sign /v /a /d "Application
Installer" /f "cert.pfx" /p certpass /fd SHA256 /t
http://timestamp.digicert.com build/native/application-1.1.0.msi

It could also be beneficial to sign the application executable in the
application image prior to creating the application installer package.
Since the native application executable does not have write access after
being constructed by jpackage, then in order to use signtool on it I had to
modify the file permissions.

I have yet to find out how to do it with WiX.

[1] https://wixtoolset.org/documentation/manual/v3/overview/insignia.html
[2] https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool

/Sverre


More information about the core-libs-dev mailing list