Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] nsis plugins aren't signed #11673

Open
thewh1teagle opened this issue Nov 13, 2024 · 0 comments · May be fixed by #11676
Open

[bug] nsis plugins aren't signed #11673

thewh1teagle opened this issue Nov 13, 2024 · 0 comments · May be fixed by #11676
Labels
platform: Windows priority: 1 high scope: bundler The bundler used in our cli to make installers status: needs triage This issue needs to triage, applied to new issues type: bug

Comments

@thewh1teagle
Copy link
Contributor

thewh1teagle commented Nov 13, 2024

Describe the bug

Nsis plugins inside nsis installer aren't signed with code signing though I enabled code signing.
The app was signed, the DLLs and the installer. but the DLLs inside $PLUGINSDIR are not signed.
as a result AVs flag them as virus immediately.

Reproduction

Download sigcheckGUI https://www.majorgeeks.com/mg/getmirror/sigcheckgui,1.html
Download https://github.com/thewh1teagle/vibe/releases/download/v2.6.6/vibe_2.6.6_x64-setup.exe
Extract the app with 7zip and check the signatures of the files

Expected behavior

It should be signed by my certificate or by yours (official?)

Full tauri info output

https://github.com/thewh1teagle/vibe
https://github.com/thewh1teagle/vibe/commit/ff020aef26235169541a1ffcea9c0157e8df4311




[✔] Environment
    - node: 20.15.1
    - pnpm: 9.10.0
    - yarn: 1.22.22
    - npm: 10.7.0
    - bun: 1.1.18

[-] Packages
    - tauri 🦀: 2.1.0
    - tauri-build 🦀: 2.0.3
    - wry 🦀: 0.47.0
    - tao 🦀: 0.30.6
    - @tauri-apps/api : 2.1.0 (outdated, latest: 2.1.1)
    - @tauri-apps/cli : 2.1.0

[-] Plugins
    - tauri-plugin-updater 🦀: 2.0.2
    - @tauri-apps/plugin-updater : 2.0.0
    - tauri-plugin-shell 🦀: 2.0.2
    - @tauri-apps/plugin-shell : 2.0.1
    - tauri-plugin-store 🦀: 2.1.0
    - @tauri-apps/plugin-store : 2.1.0
    - tauri-plugin-process 🦀: 2.0.1
    - @tauri-apps/plugin-process : 2.0.0
    - tauri-plugin-window-state 🦀: 2.0.2
    - @tauri-apps/plugin-window-state : 2.0.0
    - tauri-plugin-deep-link 🦀: 2.0.1
    - @tauri-apps/plugin-deep-link : 2.0.0
    - tauri-plugin-fs 🦀: 2.0.3
    - @tauri-apps/plugin-fs : 2.0.2
    - tauri-plugin-single-instance 🦀: 2.0.1
    - @tauri-apps/plugin-single-instance : not installed!
    - tauri-plugin-os 🦀: 2.0.1
    - @tauri-apps/plugin-os : 2.0.0
    - tauri-plugin-http 🦀: 2.0.3
    - @tauri-apps/plugin-http : 2.0.0 (outdated, latest: 2.0.1)
    - tauri-plugin-dialog 🦀: 2.0.3
    - @tauri-apps/plugin-dialog : 2.0.1

[-] App
    - build-type: bundle
    - CSP: unset
    - frontendDist: ../dist
    - devUrl: http://localhost:1420/
    - framework: React
    - bundler: Vite

Stack trace

No response

Additional context

I noticed that virustotal flag the nsis plugins as a virus.
By the way signing with self signed certificate is better than unsigned! now windows defender didn't blocked it and virus total has less false positives

https://code.videolan.org/videolan/vlc/-/issues/27469

@thewh1teagle thewh1teagle added status: needs triage This issue needs to triage, applied to new issues type: bug labels Nov 13, 2024
@FabianLars FabianLars added priority: 1 high platform: Windows scope: bundler The bundler used in our cli to make installers labels Nov 13, 2024
@thewh1teagle thewh1teagle linked a pull request Nov 13, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
platform: Windows priority: 1 high scope: bundler The bundler used in our cli to make installers status: needs triage This issue needs to triage, applied to new issues type: bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants