Comments on jpackage (JEP 343)

Alexey Semenyuk alexey.semenyuk at oracle.com
Wed Oct 2 14:04:56 UTC 2019


Hi Sverre,

Thank you for doing this research. I don't think we should complicate 
jpackage by adding signing steps in it.
However we can add a call to custom script after msi is constructed but 
before it get embedded in exe installer.
This script can sign msi.
We already support call of custom script from resource dir before 
building msi. Just need to add another call.

- Alexey

On 10/2/2019 9:41 AM, Sverre Moe wrote:
> ons. 25. sep. 2019 kl. 15:45 skrev Sverre Moe <sverre.moe at gmail.com>:
>
>> I have some new comments regarding the Windows build of jpackage.
>>
>> 1)
>> Is there any way to build an trusted application installer using WiX?
>> I want to avoid "Unknown Publisher" when installing the application.
>> Also having problems with Windows Defender SmartScreen, depending on what
>> settings the user has (Block, Warn, Off).
>> If Block, the user cannot install the application. If Warn, the user can
>> click "More info", then "Run anyway".
>>
>>>
> I have looked into this. It can be done with using tools like insignia [1]
> and signtool [2].
>
> It can be done after the MSI has been built by jpackage using the tool
> SignTool from the Microsoft SDK.
> I successfully managed to sign the MSI and EXE built by jpackage:
>> $ /cygdrive/c/Program\ Files\ \(x86\)/Windows\
> Kits/10/bin/10.0.18362.0/x64/signtool.exe sign /v /a /d "Application
> Installer" /f "cert.pfx" /p certpass /fd SHA256 /t
> http://timestamp.digicert.com build/native/application-1.1.0.msi
>
> It could also be beneficial to sign the application executable in the
> application image prior to creating the application installer package.
> Since the native application executable does not have write access after
> being constructed by jpackage, then in order to use signtool on it I had to
> modify the file permissions.
>
> I have yet to find out how to do it with WiX.
>
> [1] https://wixtoolset.org/documentation/manual/v3/overview/insignia.html
> [2] https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool
>
> /Sverre



More information about the core-libs-dev mailing list